CVE-2025-21921

In the Linux kernel, the following vulnerability has been resolved: net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device ethnl_req_get_phydev() is used to lookup a phy_device, in the case an ethtool netlink command targets a specific phydev within a netdev's topology. It takes as a parameter a const struct nlattr *header that's used for error handling : if (!phydev) { NL_SET_ERR_MSG_ATTR(extack, header, "no phy matching phyindex"); return ERR_PTR(-ENODEV); } In the notify path after a ->set operation however, there's no request attributes available. The typical callsite for the above function looks like: phydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER], info->extack); So, when tb is NULL (such as in the ethnl notify path), we have a nice crash. It turns out that there's only the PLCA command that is in that case, as the other phydev-specific commands don't have a notification. This commit fixes the crash by passing the cmd index and the nlattr array separately, allowing NULL-checking it directly inside the helper.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/1f458fa42c29144cef280e05bc49fc21b873d897	Patch
https://git.kernel.org/stable/c/637399bf7e77797811adf340090b561a8f9d1213	Patch
https://git.kernel.org/stable/c/639c70352958735addbba5ae7dd65985da96e061	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc5::::::

History

No history.

Information

Published : 2025-04-01 16:15

Updated : 2025-10-31 18:08

NVD link : CVE-2025-21921

Mitre link : CVE-2025-21921

CVE.ORG link : CVE-2025-21921

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2025-21921", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-04-01T16:15:22.790", "references": [{"url": "https://git.kernel.org/stable/c/1f458fa42c29144cef280e05bc49fc21b873d897", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/637399bf7e77797811adf340090b561a8f9d1213", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/639c70352958735addbba5ae7dd65985da96e061", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethtool: netlink: Allow NULL nlattrs when getting a phy_device\n\nethnl_req_get_phydev() is used to lookup a phy_device, in the case an\nethtool netlink command targets a specific phydev within a netdev's\ntopology.\n\nIt takes as a parameter a const struct nlattr *header that's used for\nerror handling :\n\n if (!phydev) {\n NL_SET_ERR_MSG_ATTR(extack, header,\n \"no phy matching phyindex\");\n return ERR_PTR(-ENODEV);\n }\n\nIn the notify path after a ->set operation however, there's no request\nattributes available.\n\nThe typical callsite for the above function looks like:\n\n\tphydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],\n\t\t\t\t info->extack);\n\nSo, when tb is NULL (such as in the ethnl notify path), we have a nice\ncrash.\n\nIt turns out that there's only the PLCA command that is in that case, as\nthe other phydev-specific commands don't have a notification.\n\nThis commit fixes the crash by passing the cmd index and the nlattr\narray separately, allowing NULL-checking it directly inside the helper."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ethtool: netlink: Permite nlattrs nulos al obtener un phy_device. ethnl_req_get_phydev() se usa para buscar un phy_device si el comando netlink de ethtool apunta a un phydev espec\u00edfico dentro de la topolog\u00eda de un netdev. Toma como par\u00e1metro una constante struct nlattr *header que se usa para la gesti\u00f3n de errores: if (!phydev) { NL_SET_ERR_MSG_ATTR(extack, header, \"no phy matches phyindex\"); return ERR_PTR(-ENODEV); } Sin embargo, en la ruta de notificaci\u00f3n despu\u00e9s de una operaci\u00f3n ->set, no hay atributos de solicitud disponibles. El sitio de llamada t\u00edpico para la funci\u00f3n anterior se ve as\u00ed: phydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER], info->extack); Por lo tanto, cuando tb es nulo (como en la ruta de notificaci\u00f3n de ethnl), se produce un fallo. Resulta que solo el comando PLCA se encuentra en ese caso, ya que los dem\u00e1s comandos espec\u00edficos de phydev no tienen notificaci\u00f3n. Esta confirmaci\u00f3n corrige el fallo pasando el \u00edndice cmd y la matriz nlattr por separado, lo que permite comprobar su estado nulo directamente dentro del asistente."}], "lastModified": "2025-10-31T18:08:21.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC0CC37A-843F-489C-B8A2-45012E0AF641", "versionEndExcluding": "6.12.19", "versionStartIncluding": "6.12"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "842F5A44-3E71-4546-B4FD-43B0ACE3F32B", "versionEndExcluding": "6.13.7", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45B90F6B-BEC7-4D4E-883A-9DBADE021750"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}