{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21921","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.788Z","datePublished":"2025-04-01T15:40:55.110Z","dateUpdated":"2026-05-11T21:09:06.682Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:09:06.682Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethtool: netlink: Allow NULL nlattrs when getting a phy_device\n\nethnl_req_get_phydev() is used to lookup a phy_device, in the case an\nethtool netlink command targets a specific phydev within a netdev's\ntopology.\n\nIt takes as a parameter a const struct nlattr *header that's used for\nerror handling :\n\n       if (!phydev) {\n               NL_SET_ERR_MSG_ATTR(extack, header,\n                                   \"no phy matching phyindex\");\n               return ERR_PTR(-ENODEV);\n       }\n\nIn the notify path after a ->set operation however, there's no request\nattributes available.\n\nThe typical callsite for the above function looks like:\n\n\tphydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],\n\t\t\t\t      info->extack);\n\nSo, when tb is NULL (such as in the ethnl notify path), we have a nice\ncrash.\n\nIt turns out that there's only the PLCA command that is in that case, as\nthe other phydev-specific commands don't have a notification.\n\nThis commit fixes the crash by passing the cmd index and the nlattr\narray separately, allowing NULL-checking it directly inside the helper."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ethtool/cabletest.c","net/ethtool/linkstate.c","net/ethtool/netlink.c","net/ethtool/netlink.h","net/ethtool/phy.c","net/ethtool/plca.c","net/ethtool/pse-pd.c","net/ethtool/stats.c","net/ethtool/strset.c"],"versions":[{"version":"c15e065b46dc4e19837275b826c1960d55564abd","lessThan":"639c70352958735addbba5ae7dd65985da96e061","status":"affected","versionType":"git"},{"version":"c15e065b46dc4e19837275b826c1960d55564abd","lessThan":"1f458fa42c29144cef280e05bc49fc21b873d897","status":"affected","versionType":"git"},{"version":"c15e065b46dc4e19837275b826c1960d55564abd","lessThan":"637399bf7e77797811adf340090b561a8f9d1213","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ethtool/cabletest.c","net/ethtool/linkstate.c","net/ethtool/netlink.c","net/ethtool/netlink.h","net/ethtool/phy.c","net/ethtool/plca.c","net/ethtool/pse-pd.c","net/ethtool/stats.c","net/ethtool/strset.c"],"versions":[{"version":"6.12","status":"affected"},{"version":"0","lessThan":"6.12","status":"unaffected","versionType":"semver"},{"version":"6.12.19","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.7","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.13.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/639c70352958735addbba5ae7dd65985da96e061"},{"url":"https://git.kernel.org/stable/c/1f458fa42c29144cef280e05bc49fc21b873d897"},{"url":"https://git.kernel.org/stable/c/637399bf7e77797811adf340090b561a8f9d1213"}],"title":"net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device","x_generator":{"engine":"bippy-1.2.0"}}}}