CVE-2025-21717Out-of-bounds Read in Linux

CWE-125Out-of-bounds Read5 documents5 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 91.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedFeb 27

Description

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: add missing cpu_to_node to kvzalloc_node in mlx5e_open_xdpredirect_sq kvzalloc_node is not doing a runtime check on the node argument (__alloc_pages_node_noprof does have a VM_BUG_ON, but it expands to nothing on !CONFIG_DEBUG_VM builds), so doing any ethtool/netlink operation that calls mlx5e_open on a CPU that's larger that MAX_NUMNODES triggers OOB access and panic (see the trace below). Add missing cpu_to_node

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages3 packages

NVDlinux/linux_kernel6.136.13.2
CVEListV5linux/linuxbb135e40129ddd254cfb474b58981313be79a631a275db45b4161d01716559dd7557db9ea0450952+2
debiandebian/linux

Patches

Patch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

2
OSV
CVE-2025-21717: In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: add missing cpu_to_node to kvzalloc_node in mlx5e_open_xdpredirect_sq k2025-02-27
GHSA
GHSA-6v7v-ggwx-mwx7: In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: add missing cpu_to_node to kvzalloc_node in mlx5e_open_xdpredirect_sq2025-02-27

📋Vendor Advisories

2
Red Hat
kernel: net/mlx5e: add missing cpu_to_node to kvzalloc_node in mlx5e_open_xdpredirect_sq2025-02-27
Debian
CVE-2025-21717: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: ...2025
CVE-2025-21717 — Out-of-bounds Read in Linux | cvebase