CVE-2025-21855 (GCVE-0-2025-21855)

Vulnerability from cvelistv5 – Published: 2025-03-12 09:42 – Updated: 2026-05-11 21:07
VLAI
Title
ibmvnic: Don't reference skb after sending to VIOS
Summary
In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 ==================================================================
Severity
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 032c5e82847a2214c3196a90f0aeba0ce252de58 , < 501ac6a7e21b82e05207c6b4449812d82820f306 (git)
Affected: 032c5e82847a2214c3196a90f0aeba0ce252de58 , < 093b0e5c90592773863f300b908b741622eef597 (git)
Affected: 032c5e82847a2214c3196a90f0aeba0ce252de58 , < 25dddd01dcc8ef3acff964dbb32eeb0d89f098e9 (git)
Affected: 032c5e82847a2214c3196a90f0aeba0ce252de58 , < abaff2717470e4b5b7c0c3a90e128b211a23da09 (git)
Affected: 032c5e82847a2214c3196a90f0aeba0ce252de58 , < bdf5d13aa05ec314d4385b31ac974d6c7e0997c9 (git)
Create a notification for this product.
Linux Linux Affected: 4.5
Unaffected: 0 , < 4.5 (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.80 , ≤ 6.6.* (semver)
Unaffected: 6.12.17 , ≤ 6.12.* (semver)
Unaffected: 6.13.5 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21855",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-28T15:22:53.080311Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-28T15:32:00.235Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:10.767Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ibm/ibmvnic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "501ac6a7e21b82e05207c6b4449812d82820f306",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            },
            {
              "lessThan": "093b0e5c90592773863f300b908b741622eef597",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            },
            {
              "lessThan": "25dddd01dcc8ef3acff964dbb32eeb0d89f098e9",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            },
            {
              "lessThan": "abaff2717470e4b5b7c0c3a90e128b211a23da09",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            },
            {
              "lessThan": "bdf5d13aa05ec314d4385b31ac974d6c7e0997c9",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ibm/ibmvnic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Don\u0027t reference skb after sending to VIOS\n\nPreviously, after successfully flushing the xmit buffer to VIOS,\nthe tx_bytes stat was incremented by the length of the skb.\n\nIt is invalid to access the skb memory after sending the buffer to\nthe VIOS because, at any point after sending, the VIOS can trigger\nan interrupt to free this memory. A race between reading skb-\u003elen\nand freeing the skb is possible (especially during LPM) and will\nresult in use-after-free:\n ==================================================================\n BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n Read of size 4 at addr c00000024eb48a70 by task hxecom/14495\n \u003c...\u003e\n Call Trace:\n [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)\n [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0\n [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8\n [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0\n [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358\n \u003c...\u003e\n Freed by task 0:\n kasan_save_stack+0x34/0x68\n kasan_save_track+0x2c/0x50\n kasan_save_free_info+0x64/0x108\n __kasan_mempool_poison_object+0x148/0x2d4\n napi_skb_cache_put+0x5c/0x194\n net_tx_action+0x154/0x5b8\n handle_softirqs+0x20c/0x60c\n do_softirq_own_stack+0x6c/0x88\n \u003c...\u003e\n The buggy address belongs to the object at c00000024eb48a00 which\n  belongs to the cache skbuff_head_cache of size 224\n=================================================================="
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:07:48.735Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306"
        },
        {
          "url": "https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597"
        },
        {
          "url": "https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09"
        },
        {
          "url": "https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9"
        }
      ],
      "title": "ibmvnic: Don\u0027t reference skb after sending to VIOS",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21855",
    "datePublished": "2025-03-12T09:42:09.251Z",
    "dateReserved": "2024-12-29T08:45:45.780Z",
    "dateUpdated": "2026-05-11T21:07:48.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-21855",
      "date": "2026-05-29",
      "epss": "0.00014",
      "percentile": "0.02684"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21855\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-03-12T10:15:18.320\",\"lastModified\":\"2025-11-03T20:17:22.350\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nibmvnic: Don\u0027t reference skb after sending to VIOS\\n\\nPreviously, after successfully flushing the xmit buffer to VIOS,\\nthe tx_bytes stat was incremented by the length of the skb.\\n\\nIt is invalid to access the skb memory after sending the buffer to\\nthe VIOS because, at any point after sending, the VIOS can trigger\\nan interrupt to free this memory. A race between reading skb-\u003elen\\nand freeing the skb is possible (especially during LPM) and will\\nresult in use-after-free:\\n ==================================================================\\n BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\\n Read of size 4 at addr c00000024eb48a70 by task hxecom/14495\\n \u003c...\u003e\\n Call Trace:\\n [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)\\n [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0\\n [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8\\n [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0\\n [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\\n [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358\\n \u003c...\u003e\\n Freed by task 0:\\n kasan_save_stack+0x34/0x68\\n kasan_save_track+0x2c/0x50\\n kasan_save_free_info+0x64/0x108\\n __kasan_mempool_poison_object+0x148/0x2d4\\n napi_skb_cache_put+0x5c/0x194\\n net_tx_action+0x154/0x5b8\\n handle_softirqs+0x20c/0x60c\\n do_softirq_own_stack+0x6c/0x88\\n \u003c...\u003e\\n The buggy address belongs to the object at c00000024eb48a00 which\\n  belongs to the cache skbuff_head_cache of size 224\\n==================================================================\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ibmvnic: No hacer referencia a skb despu\u00e9s de enviar a VIOS. Anteriormente, tras vaciar correctamente el b\u00fafer de transmisi\u00f3n a VIOS, la estad\u00edstica tx_bytes se incrementaba seg\u00fan la longitud de skb. No es posible acceder a la memoria de skb despu\u00e9s de enviar el b\u00fafer a VIOS, ya que, en cualquier momento posterior al env\u00edo, VIOS puede activar una interrupci\u00f3n para liberar esta memoria. Es posible que se produzca una carrera entre la lectura de skb-\u0026gt;len y la liberaci\u00f3n de skb (especialmente durante LPM) y esto dar\u00e1 como resultado un uso despu\u00e9s de la liberaci\u00f3n: ======================================================================== ERROR KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 \u0026lt;...\u0026gt; Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 \u0026lt;...\u0026gt; Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 \u0026lt;...\u0026gt; The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 =======================================================================\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.5\",\"versionEndExcluding\":\"6.1.130\",\"matchCriteriaId\":\"0B2C3CF4-360E-4E1B-B335-6F75CCB6456A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.80\",\"matchCriteriaId\":\"A93F3655-6FAF-43B0-8541-A212998F05B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.17\",\"matchCriteriaId\":\"15370AEE-6D1C-49C3-8CB7-E889D5F92B6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.5\",\"matchCriteriaId\":\"72E69ABB-9015-43A6-87E1-5150383CFFD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D3E781C-403A-498F-9DA9-ECEE50F41E75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"66619FB8-0AAF-4166-B2CF-67B24143261D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T19:38:10.767Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21855\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-28T15:22:53.080311Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-28T15:22:54.367Z\"}}], \"cna\": {\"title\": \"ibmvnic: Don\u0027t reference skb after sending to VIOS\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"032c5e82847a2214c3196a90f0aeba0ce252de58\", \"lessThan\": \"501ac6a7e21b82e05207c6b4449812d82820f306\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"032c5e82847a2214c3196a90f0aeba0ce252de58\", \"lessThan\": \"093b0e5c90592773863f300b908b741622eef597\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"032c5e82847a2214c3196a90f0aeba0ce252de58\", \"lessThan\": \"25dddd01dcc8ef3acff964dbb32eeb0d89f098e9\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"032c5e82847a2214c3196a90f0aeba0ce252de58\", \"lessThan\": \"abaff2717470e4b5b7c0c3a90e128b211a23da09\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"032c5e82847a2214c3196a90f0aeba0ce252de58\", \"lessThan\": \"bdf5d13aa05ec314d4385b31ac974d6c7e0997c9\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/ethernet/ibm/ibmvnic.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.5\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.5\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.1.130\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.80\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12.17\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13.5\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.13.*\"}, {\"status\": \"unaffected\", \"version\": \"6.14\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/ethernet/ibm/ibmvnic.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306\"}, {\"url\": \"https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597\"}, {\"url\": \"https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9\"}, {\"url\": \"https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09\"}, {\"url\": \"https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nibmvnic: Don\u0027t reference skb after sending to VIOS\\n\\nPreviously, after successfully flushing the xmit buffer to VIOS,\\nthe tx_bytes stat was incremented by the length of the skb.\\n\\nIt is invalid to access the skb memory after sending the buffer to\\nthe VIOS because, at any point after sending, the VIOS can trigger\\nan interrupt to free this memory. A race between reading skb-\u003elen\\nand freeing the skb is possible (especially during LPM) and will\\nresult in use-after-free:\\n ==================================================================\\n BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\\n Read of size 4 at addr c00000024eb48a70 by task hxecom/14495\\n \u003c...\u003e\\n Call Trace:\\n [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)\\n [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0\\n [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8\\n [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0\\n [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\\n [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358\\n \u003c...\u003e\\n Freed by task 0:\\n kasan_save_stack+0x34/0x68\\n kasan_save_track+0x2c/0x50\\n kasan_save_free_info+0x64/0x108\\n __kasan_mempool_poison_object+0x148/0x2d4\\n napi_skb_cache_put+0x5c/0x194\\n net_tx_action+0x154/0x5b8\\n handle_softirqs+0x20c/0x60c\\n do_softirq_own_stack+0x6c/0x88\\n \u003c...\u003e\\n The buggy address belongs to the object at c00000024eb48a00 which\\n  belongs to the cache skbuff_head_cache of size 224\\n==================================================================\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.130\", \"versionStartIncluding\": \"4.5\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.80\", \"versionStartIncluding\": \"4.5\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.17\", \"versionStartIncluding\": \"4.5\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.13.5\", \"versionStartIncluding\": \"4.5\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.14\", \"versionStartIncluding\": \"4.5\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T21:07:48.735Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21855\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T21:07:48.735Z\", \"dateReserved\": \"2024-12-29T08:45:45.780Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-03-12T09:42:09.251Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.