CVE-2025-21799 (GCVE-0-2025-21799)

Vulnerability from cvelistv5 – Published: 2025-02-27 20:00 – Updated: 2026-05-11 21:06
VLAI
Title
net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()
Summary
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() When getting the IRQ we use k3_udma_glue_tx_get_irq() which returns negative error value on error. So not NULL check is not sufficient to deteremine if IRQ is valid. Check that IRQ is greater then zero to ensure it is valid. There is no issue at probe time but at runtime user can invoke .set_channels which results in the following call chain. am65_cpsw_set_channels() am65_cpsw_nuss_update_tx_rx_chns() am65_cpsw_nuss_remove_tx_chns() am65_cpsw_nuss_init_tx_chns() At this point if am65_cpsw_nuss_init_tx_chns() fails due to k3_udma_glue_tx_get_irq() then tx_chn->irq will be set to a negative value. Then, at subsequent .set_channels with higher channel count we will attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns() leading to a kernel warning. The issue is present in the original commit that introduced this driver, although there, am65_cpsw_nuss_update_tx_rx_chns() existed as am65_cpsw_nuss_update_tx_chns().
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 93a76530316a3d8cc2d82c3deca48424fee92100 , < 321990fdf4f1bb64e818c7140688bf33d129e48d (git)
Affected: 93a76530316a3d8cc2d82c3deca48424fee92100 , < ed8c0300f302338c36edb06bca99051e5be6fb2f (git)
Affected: 93a76530316a3d8cc2d82c3deca48424fee92100 , < aea5cca681d268f794fa2385f9ec26a5cce025cd (git)
Affected: 93a76530316a3d8cc2d82c3deca48424fee92100 , < 88fd5db8c0073bd91d18391feb5741aeb0a2b475 (git)
Affected: 93a76530316a3d8cc2d82c3deca48424fee92100 , < 8448c87b3af68bebca21e3136913f7f77e363515 (git)
Affected: 93a76530316a3d8cc2d82c3deca48424fee92100 , < 8aae91ae1c65782a169ec070e023d4d269e5d6e6 (git)
Affected: 93a76530316a3d8cc2d82c3deca48424fee92100 , < 4395a44acb15850e492dd1de9ec4b6479d96bc80 (git)
Create a notification for this product.
Linux Linux Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:59:41.641Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ti/am65-cpsw-nuss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "321990fdf4f1bb64e818c7140688bf33d129e48d",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            },
            {
              "lessThan": "ed8c0300f302338c36edb06bca99051e5be6fb2f",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            },
            {
              "lessThan": "aea5cca681d268f794fa2385f9ec26a5cce025cd",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            },
            {
              "lessThan": "88fd5db8c0073bd91d18391feb5741aeb0a2b475",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            },
            {
              "lessThan": "8448c87b3af68bebca21e3136913f7f77e363515",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            },
            {
              "lessThan": "8aae91ae1c65782a169ec070e023d4d269e5d6e6",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            },
            {
              "lessThan": "4395a44acb15850e492dd1de9ec4b6479d96bc80",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ti/am65-cpsw-nuss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()\n\nWhen getting the IRQ we use k3_udma_glue_tx_get_irq() which returns\nnegative error value on error. So not NULL check is not sufficient\nto deteremine if IRQ is valid. Check that IRQ is greater then zero\nto ensure it is valid.\n\nThere is no issue at probe time but at runtime user can invoke\n.set_channels which results in the following call chain.\nam65_cpsw_set_channels()\n am65_cpsw_nuss_update_tx_rx_chns()\n  am65_cpsw_nuss_remove_tx_chns()\n  am65_cpsw_nuss_init_tx_chns()\n\nAt this point if am65_cpsw_nuss_init_tx_chns() fails due to\nk3_udma_glue_tx_get_irq() then tx_chn-\u003eirq will be set to a\nnegative value.\n\nThen, at subsequent .set_channels with higher channel count we\nwill attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns()\nleading to a kernel warning.\n\nThe issue is present in the original commit that introduced this driver,\nalthough there, am65_cpsw_nuss_update_tx_rx_chns() existed as\nam65_cpsw_nuss_update_tx_chns()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:06:43.610Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/321990fdf4f1bb64e818c7140688bf33d129e48d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed8c0300f302338c36edb06bca99051e5be6fb2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/aea5cca681d268f794fa2385f9ec26a5cce025cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/88fd5db8c0073bd91d18391feb5741aeb0a2b475"
        },
        {
          "url": "https://git.kernel.org/stable/c/8448c87b3af68bebca21e3136913f7f77e363515"
        },
        {
          "url": "https://git.kernel.org/stable/c/8aae91ae1c65782a169ec070e023d4d269e5d6e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4395a44acb15850e492dd1de9ec4b6479d96bc80"
        }
      ],
      "title": "net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21799",
    "datePublished": "2025-02-27T20:00:54.223Z",
    "dateReserved": "2024-12-29T08:45:45.770Z",
    "dateUpdated": "2026-05-11T21:06:43.610Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-21799",
      "date": "2026-06-08",
      "epss": "0.00017",
      "percentile": "0.04161"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21799\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T20:16:02.563\",\"lastModified\":\"2025-11-03T21:19:11.243\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()\\n\\nWhen getting the IRQ we use k3_udma_glue_tx_get_irq() which returns\\nnegative error value on error. So not NULL check is not sufficient\\nto deteremine if IRQ is valid. Check that IRQ is greater then zero\\nto ensure it is valid.\\n\\nThere is no issue at probe time but at runtime user can invoke\\n.set_channels which results in the following call chain.\\nam65_cpsw_set_channels()\\n am65_cpsw_nuss_update_tx_rx_chns()\\n  am65_cpsw_nuss_remove_tx_chns()\\n  am65_cpsw_nuss_init_tx_chns()\\n\\nAt this point if am65_cpsw_nuss_init_tx_chns() fails due to\\nk3_udma_glue_tx_get_irq() then tx_chn-\u003eirq will be set to a\\nnegative value.\\n\\nThen, at subsequent .set_channels with higher channel count we\\nwill attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns()\\nleading to a kernel warning.\\n\\nThe issue is present in the original commit that introduced this driver,\\nalthough there, am65_cpsw_nuss_update_tx_rx_chns() existed as\\nam65_cpsw_nuss_update_tx_chns().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ethernet: ti: am65-cpsw: arreglo de liberaci\u00f3n de IRQ en am65_cpsw_nuss_remove_tx_chns() Al obtener la IRQ, usamos k3_udma_glue_tx_get_irq() que devuelve un valor de error negativo en caso de error. Por lo tanto, la comprobaci\u00f3n de que no sea NULL no es suficiente para determinar si la IRQ es v\u00e1lida. Compruebe que la IRQ sea mayor que cero para asegurarse de que sea v\u00e1lida. No hay ning\u00fan problema en el momento de la prueba, pero en el momento de la ejecuci\u00f3n, el usuario puede invocar .set_channels, lo que da como resultado la siguiente cadena de llamadas. am65_cpsw_set_channels() am65_cpsw_nuss_update_tx_rx_chns() am65_cpsw_nuss_remove_tx_chns() am65_cpsw_nuss_init_tx_chns() En este punto, si am65_cpsw_nuss_init_tx_chns() falla debido a k3_udma_glue_tx_get_irq(), tx_chn-\u0026gt;irq se establecer\u00e1 en un valor negativo. Luego, en los .set_channels posteriores con un mayor conteo de canales, intentaremos liberar una IRQ no v\u00e1lida en am65_cpsw_nuss_remove_tx_chns(), lo que generar\u00e1 una advertencia del kernel. El problema est\u00e1 presente en el commit original que introdujo este controlador, aunque all\u00ed, am65_cpsw_nuss_update_tx_rx_chns() exist\u00eda como am65_cpsw_nuss_update_tx_chns().\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.7\",\"versionEndExcluding\":\"5.10.235\",\"matchCriteriaId\":\"3D5CC9A1-5315-4625-AE8A-2D18D09E897D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.179\",\"matchCriteriaId\":\"C708062C-4E1B-465F-AE6D-C09C46400875\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.129\",\"matchCriteriaId\":\"2DA5009C-C9B9-4A1D-9B96-78427E8F232C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.76\",\"matchCriteriaId\":\"A6D70701-9CB6-4222-A957-00A419878993\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.13\",\"matchCriteriaId\":\"2897389C-A8C3-4D69-90F2-E701B3D66373\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.2\",\"matchCriteriaId\":\"6D4116B1-1BFD-4F23-BA84-169CC05FC5A3\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/321990fdf4f1bb64e818c7140688bf33d129e48d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4395a44acb15850e492dd1de9ec4b6479d96bc80\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8448c87b3af68bebca21e3136913f7f77e363515\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/88fd5db8c0073bd91d18391feb5741aeb0a2b475\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8aae91ae1c65782a169ec070e023d4d269e5d6e6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/aea5cca681d268f794fa2385f9ec26a5cce025cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ed8c0300f302338c36edb06bca99051e5be6fb2f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.