CVE-2025-21650 (GCVE-0-2025-21650)

Vulnerability from cvelistv5 – Published: 2025-01-19 10:18 – Updated: 2026-05-23 15:56
VLAI
Title
net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue
Summary
In the Linux kernel, the following vulnerability has been resolved: net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue The TQP BAR space is divided into two segments. TQPs 0-1023 and TQPs 1024-1279 are in different BAR space addresses. However, hclge_fetch_pf_reg does not distinguish the tqp space information when reading the tqp space information. When the number of TQPs is greater than 1024, access bar space overwriting occurs. The problem of different segments has been considered during the initialization of tqp.io_base. Therefore, tqp.io_base is directly used when the queue is read in hclge_fetch_pf_reg. The error message: Unable to handle kernel paging request at virtual address ffff800037200000 pc : hclge_fetch_pf_reg+0x138/0x250 [hclge] lr : hclge_get_regs+0x84/0x1d0 [hclge] Call trace: hclge_fetch_pf_reg+0x138/0x250 [hclge] hclge_get_regs+0x84/0x1d0 [hclge] hns3_get_regs+0x2c/0x50 [hns3] ethtool_get_regs+0xf4/0x270 dev_ethtool+0x674/0x8a0 dev_ioctl+0x270/0x36c sock_do_ioctl+0x110/0x2a0 sock_ioctl+0x2ac/0x530 __arm64_sys_ioctl+0xa8/0x100 invoke_syscall+0x4c/0x124 el0_svc_common.constprop.0+0x140/0x15c do_el0_svc+0x30/0xd0 el0_svc+0x1c/0x2c el0_sync_handler+0xb0/0xb4 el0_sync+0x168/0x180
Severity
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 939ccd107ffcade20c9c7055a2e7ae0fd724fb72 , < 0575baa733fc4219f230aef22d5bc35d922f1e9a (git)
Affected: 939ccd107ffcade20c9c7055a2e7ae0fd724fb72 , < 7997ddd46c54408bcba5e37fe18b4d832e45d4d4 (git)
Affected: df34972a33d268a7113c119fe4e4b07a6819aa0c (git)
Affected: 2b1fff96a297034f03466cfecda9824adafe16ed (git)
Affected: 6.4.16 , < 6.5 (semver)
Affected: 6.5.3 , < 6.6 (semver)
Create a notification for this product.
Linux Linux Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21650",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:53:49.493416Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:16.978Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c",
            "drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0575baa733fc4219f230aef22d5bc35d922f1e9a",
              "status": "affected",
              "version": "939ccd107ffcade20c9c7055a2e7ae0fd724fb72",
              "versionType": "git"
            },
            {
              "lessThan": "7997ddd46c54408bcba5e37fe18b4d832e45d4d4",
              "status": "affected",
              "version": "939ccd107ffcade20c9c7055a2e7ae0fd724fb72",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "df34972a33d268a7113c119fe4e4b07a6819aa0c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2b1fff96a297034f03466cfecda9824adafe16ed",
              "versionType": "git"
            },
            {
              "lessThan": "6.5",
              "status": "affected",
              "version": "6.4.16",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6",
              "status": "affected",
              "version": "6.5.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c",
            "drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue\n\nThe TQP BAR space is divided into two segments. TQPs 0-1023 and TQPs\n1024-1279 are in different BAR space addresses. However,\nhclge_fetch_pf_reg does not distinguish the tqp space information when\nreading the tqp space information. When the number of TQPs is greater\nthan 1024, access bar space overwriting occurs.\nThe problem of different segments has been considered during the\ninitialization of tqp.io_base. Therefore, tqp.io_base is directly used\nwhen the queue is read in hclge_fetch_pf_reg.\n\nThe error message:\n\nUnable to handle kernel paging request at virtual address ffff800037200000\npc : hclge_fetch_pf_reg+0x138/0x250 [hclge]\nlr : hclge_get_regs+0x84/0x1d0 [hclge]\nCall trace:\n hclge_fetch_pf_reg+0x138/0x250 [hclge]\n hclge_get_regs+0x84/0x1d0 [hclge]\n hns3_get_regs+0x2c/0x50 [hns3]\n ethtool_get_regs+0xf4/0x270\n dev_ethtool+0x674/0x8a0\n dev_ioctl+0x270/0x36c\n sock_do_ioctl+0x110/0x2a0\n sock_ioctl+0x2ac/0x530\n __arm64_sys_ioctl+0xa8/0x100\n invoke_syscall+0x4c/0x124\n el0_svc_common.constprop.0+0x140/0x15c\n do_el0_svc+0x30/0xd0\n el0_svc+0x1c/0x2c\n el0_sync_handler+0xb0/0xb4\n el0_sync+0x168/0x180"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:56:47.603Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0575baa733fc4219f230aef22d5bc35d922f1e9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7997ddd46c54408bcba5e37fe18b4d832e45d4d4"
        }
      ],
      "title": "net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21650",
    "datePublished": "2025-01-19T10:18:07.976Z",
    "dateReserved": "2024-12-29T08:45:45.728Z",
    "dateUpdated": "2026-05-23T15:56:47.603Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-21650",
      "date": "2026-06-15",
      "epss": "0.00188",
      "percentile": "0.08571"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21650\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-01-19T11:15:10.630\",\"lastModified\":\"2025-10-01T20:18:16.897\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue\\n\\nThe TQP BAR space is divided into two segments. TQPs 0-1023 and TQPs\\n1024-1279 are in different BAR space addresses. However,\\nhclge_fetch_pf_reg does not distinguish the tqp space information when\\nreading the tqp space information. When the number of TQPs is greater\\nthan 1024, access bar space overwriting occurs.\\nThe problem of different segments has been considered during the\\ninitialization of tqp.io_base. Therefore, tqp.io_base is directly used\\nwhen the queue is read in hclge_fetch_pf_reg.\\n\\nThe error message:\\n\\nUnable to handle kernel paging request at virtual address ffff800037200000\\npc : hclge_fetch_pf_reg+0x138/0x250 [hclge]\\nlr : hclge_get_regs+0x84/0x1d0 [hclge]\\nCall trace:\\n hclge_fetch_pf_reg+0x138/0x250 [hclge]\\n hclge_get_regs+0x84/0x1d0 [hclge]\\n hns3_get_regs+0x2c/0x50 [hns3]\\n ethtool_get_regs+0xf4/0x270\\n dev_ethtool+0x674/0x8a0\\n dev_ioctl+0x270/0x36c\\n sock_do_ioctl+0x110/0x2a0\\n sock_ioctl+0x2ac/0x530\\n __arm64_sys_ioctl+0xa8/0x100\\n invoke_syscall+0x4c/0x124\\n el0_svc_common.constprop.0+0x140/0x15c\\n do_el0_svc+0x30/0xd0\\n el0_svc+0x1c/0x2c\\n el0_sync_handler+0xb0/0xb4\\n el0_sync+0x168/0x180\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net:hns3: se ha corregido el problema de que hclge_fetch_pf_reg accede al espacio de la barra fuera de los l\u00edmites El espacio BAR de TQP se divide en dos segmentos. Los TQP 0-1023 y los TQP 1024-1279 est\u00e1n en diferentes direcciones de espacio BAR. Sin embargo, hclge_fetch_pf_reg no distingue la informaci\u00f3n del espacio tqp al leer la informaci\u00f3n del espacio tqp. Cuando el n\u00famero de TQP es mayor que 1024, se produce una sobrescritura del espacio de la barra de acceso. El problema de los diferentes segmentos se ha considerado durante la inicializaci\u00f3n de tqp.io_base. Por lo tanto, tqp.io_base se utiliza directamente cuando se lee la cola en hclge_fetch_pf_reg. Mensaje de error: No se puede gestionar la solicitud de paginaci\u00f3n del n\u00facleo en la direcci\u00f3n virtual ffff800037200000 pc : hclge_fetch_pf_reg+0x138/0x250 [hclge] lr : hclge_get_regs+0x84/0x1d0 [hclge] Call trace: hclge_fetch_pf_reg+0x138/0x250 [hclge] hclge_get_regs+0x84/0x1d0 [hclge] hns3_get_regs+0x2c/0x50 [hns3] ethtool_get_regs+0xf4/0x270 dev_ethtool+0x674/0x8a0 dev_ioctl+0x270/0x36c sock_do_ioctl+0x110/0x2a0 sock_ioctl+0x2ac/0x530 __arm64_sys_ioctl+0xa8/0x100 invoke_syscall+0x4c/0x124 el0_svc_common.constprop.0+0x140/0x15c do_el0_svc+0x30/0xd0 el0_svc+0x1c/0x2c el0_sync_handler+0xb0/0xb4 el0_sync+0x168/0x180 \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.4.16\",\"versionEndExcluding\":\"6.5\",\"matchCriteriaId\":\"A5099559-2D15-42A5-A561-71B34FEFF36F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.5.3\",\"versionEndExcluding\":\"6.12.10\",\"matchCriteriaId\":\"027A0A90-C67C-4EB4-8FF4-E9701C342DF8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"62567B3C-6CEE-46D0-BC2E-B3717FBF7D13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A073481-106D-4B15-B4C7-FB0213B8E1D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE491969-75AE-4A6B-9A58-8FC5AF98798F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"93C0660D-7FB8-4FBA-892A-B064BA71E49E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"034C36A6-C481-41F3-AE9A-D116E5BE6895\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0575baa733fc4219f230aef22d5bc35d922f1e9a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7997ddd46c54408bcba5e37fe18b4d832e45d4d4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21650\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-01T19:53:49.493416Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787 Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-01T15:55:56.524Z\"}}], \"cna\": {\"title\": \"net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"939ccd107ffcade20c9c7055a2e7ae0fd724fb72\", \"lessThan\": \"0575baa733fc4219f230aef22d5bc35d922f1e9a\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"939ccd107ffcade20c9c7055a2e7ae0fd724fb72\", \"lessThan\": \"7997ddd46c54408bcba5e37fe18b4d832e45d4d4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"df34972a33d268a7113c119fe4e4b07a6819aa0c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"2b1fff96a297034f03466cfecda9824adafe16ed\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c\", \"drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.6\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.6\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.12.10\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c\", \"drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/0575baa733fc4219f230aef22d5bc35d922f1e9a\"}, {\"url\": \"https://git.kernel.org/stable/c/7997ddd46c54408bcba5e37fe18b4d832e45d4d4\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue\\n\\nThe TQP BAR space is divided into two segments. TQPs 0-1023 and TQPs\\n1024-1279 are in different BAR space addresses. However,\\nhclge_fetch_pf_reg does not distinguish the tqp space information when\\nreading the tqp space information. When the number of TQPs is greater\\nthan 1024, access bar space overwriting occurs.\\nThe problem of different segments has been considered during the\\ninitialization of tqp.io_base. Therefore, tqp.io_base is directly used\\nwhen the queue is read in hclge_fetch_pf_reg.\\n\\nThe error message:\\n\\nUnable to handle kernel paging request at virtual address ffff800037200000\\npc : hclge_fetch_pf_reg+0x138/0x250 [hclge]\\nlr : hclge_get_regs+0x84/0x1d0 [hclge]\\nCall trace:\\n hclge_fetch_pf_reg+0x138/0x250 [hclge]\\n hclge_get_regs+0x84/0x1d0 [hclge]\\n hns3_get_regs+0x2c/0x50 [hns3]\\n ethtool_get_regs+0xf4/0x270\\n dev_ethtool+0x674/0x8a0\\n dev_ioctl+0x270/0x36c\\n sock_do_ioctl+0x110/0x2a0\\n sock_ioctl+0x2ac/0x530\\n __arm64_sys_ioctl+0xa8/0x100\\n invoke_syscall+0x4c/0x124\\n el0_svc_common.constprop.0+0x140/0x15c\\n do_el0_svc+0x30/0xd0\\n el0_svc+0x1c/0x2c\\n el0_sync_handler+0xb0/0xb4\\n el0_sync+0x168/0x180\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.10\", \"versionStartIncluding\": \"6.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.13\", \"versionStartIncluding\": \"6.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.4.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.5.3\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T13:06:11.282Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21650\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-01T19:57:16.978Z\", \"dateReserved\": \"2024-12-29T08:45:45.728Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-01-19T10:18:07.976Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.