{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21852","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.779Z","datePublished":"2025-03-12T09:42:07.175Z","dateUpdated":"2026-05-11T21:07:45.279Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:07:45.279Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Add rx_skb of kfree_skb to raw_tp_null_args[].\n\nYan Zhai reported a BPF prog could trigger a null-ptr-deref [0]\nin trace_kfree_skb if the prog does not check if rx_sk is NULL.\n\nCommit c53795d48ee8 (\"net: add rx_sk to trace_kfree_skb\") added\nrx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL.\n\nLet's add kfree_skb to raw_tp_null_args[] to let the BPF verifier\nvalidate such a prog and prevent the issue.\n\nNow we fail to load such a prog:\n\n  libbpf: prog 'drop': -- BEGIN PROG LOAD LOG --\n  0: R1=ctx() R10=fp0\n  ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21\n  0: (79) r3 = *(u64 *)(r1 +24)\n  func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock'\n  1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1)\n  ; bpf_printk(\"sk: %d, %d\\n\", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24\n  1: (69) r4 = *(u16 *)(r3 +16)\n  R3 invalid mem access 'trusted_ptr_or_null_'\n  processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0\n  -- END PROG LOAD LOG --\n\nNote this fix requires commit 838a10bd2ebf (\"bpf: Augment raw_tp\narguments with PTR_MAYBE_NULL\").\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000010\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nPREEMPT SMP\nRIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d\nCall Trace:\n <TASK>\n ? __die+0x1f/0x60\n ? page_fault_oops+0x148/0x420\n ? search_bpf_extables+0x5b/0x70\n ? fixup_exception+0x27/0x2c0\n ? exc_page_fault+0x75/0x170\n ? asm_exc_page_fault+0x22/0x30\n ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d\n bpf_trace_run4+0x68/0xd0\n ? unix_stream_connect+0x1f4/0x6f0\n sk_skb_reason_drop+0x90/0x120\n unix_stream_connect+0x1f4/0x6f0\n __sys_connect+0x7f/0xb0\n __x64_sys_connect+0x14/0x20\n do_syscall_64+0x47/0xc30\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/bpf/btf.c"],"versions":[{"version":"c53795d48ee8f385c6a9e394651e7ee914baaeba","lessThan":"f579afacd0a66971fc8481f30d2d377e230a8342","status":"affected","versionType":"git"},{"version":"c53795d48ee8f385c6a9e394651e7ee914baaeba","lessThan":"4dba79c1e7aad6620bbb707b6c4459380fd90860","status":"affected","versionType":"git"},{"version":"c53795d48ee8f385c6a9e394651e7ee914baaeba","lessThan":"5da7e15fb5a12e78de974d8908f348e279922ce9","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/bpf/btf.c"],"versions":[{"version":"6.11","status":"affected"},{"version":"0","lessThan":"6.11","status":"unaffected","versionType":"semver"},{"version":"6.12.17","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.5","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.12.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.13.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f579afacd0a66971fc8481f30d2d377e230a8342"},{"url":"https://git.kernel.org/stable/c/4dba79c1e7aad6620bbb707b6c4459380fd90860"},{"url":"https://git.kernel.org/stable/c/5da7e15fb5a12e78de974d8908f348e279922ce9"}],"title":"net: Add rx_skb of kfree_skb to raw_tp_null_args[].","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2025-21852","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2025-10-01T19:26:08.323491Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T19:26:38.622Z"}}]}}