CVE-2025-21997: xsk: fix an integer overflow in xp_create_and_assign_umem()
First published: Thu Apr 03 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: xsk: fix an integer overflow in xp_create_and_assign_umem() Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | ||
| Linux Kernel | >=5.16<6.1.132 | |
| Linux Kernel | >=6.2<6.6.85 | |
| Linux Kernel | >=6.7<6.12.21 | |
| Linux Kernel | >=6.13<6.13.9 | |
| Linux Kernel | =6.14-rc1 | |
| Linux Kernel | =6.14-rc2 | |
| Linux Kernel | =6.14-rc3 | |
| Linux Kernel | =6.14-rc4 | |
| Linux Kernel | =6.14-rc5 | |
| Linux Kernel | =6.14-rc6 | |
| Linux Kernel | =6.14-rc7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/205649d642a5b376724f04f3a5b3586815e43d3b
- https://git.kernel.org/stable/c/b7b4be1fa43294b50b22e812715198629806678a
- https://git.kernel.org/stable/c/130290f44bce0eead2b827302109afc3fe189ddd
- https://git.kernel.org/stable/c/c7670c197b0f1a8726ad5c87bc2bf001a1fc1bbd
- https://git.kernel.org/stable/c/559847f56769037e5b2e0474d3dbff985b98083d
Frequently Asked Questions
What is the severity of CVE-2025-21997?
CVE-2025-21997 is considered a high-severity vulnerability due to the potential for integer overflow leading to system instability.
How do I fix CVE-2025-21997?
To fix CVE-2025-21997, you should update to the latest version of the Linux kernel where the vulnerability has been patched.
What systems are affected by CVE-2025-21997?
CVE-2025-21997 affects the Linux kernel, impacting systems that utilize vulnerable versions.
What type of vulnerability is CVE-2025-21997?
CVE-2025-21997 is an integer overflow vulnerability in the Linux kernel's xsk module.
Can CVE-2025-21997 be exploited remotely?
CVE-2025-21997 may allow local user privileges to escalate, but it is not typically exploited remotely.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/type
- agent/references
- agent/description
- agent/title
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/author
- agent/source
- agent/event
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/tags
- agent/softwarecombine
- vendor/linux
- canonical/linux kernel
- version/linux kernel/5.16
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.13
- version/linux kernel/6.14-rc1
- version/linux kernel/6.14-rc2
- version/linux kernel/6.14-rc3
- version/linux kernel/6.14-rc4
- version/linux kernel/6.14-rc5
- version/linux kernel/6.14-rc6
- version/linux kernel/6.14-rc7