{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21653", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.729Z", "datePublished": "2025-01-19T10:18:10.354Z", "dateUpdated": "2025-02-02T10:16:09.966Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-02-02T10:16:09.966Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute\n\nsyzbot found that TCA_FLOW_RSHIFT attribute was not validated.\nRight shitfing a 32bit integer is undefined for large shift values.\n\nUBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23\nshift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: ipv6_addrconf addrconf_dad_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468\n flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329\n tc_classify include/net/tc_wrapper.h:197 [inline]\n __tcf_classify net/sched/cls_api.c:1771 [inline]\n tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867\n sfb_classify net/sched/sch_sfb.c:260 [inline]\n sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318\n dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793\n __dev_xmit_skb net/core/dev.c:3889 [inline]\n __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400\n dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n neigh_hh_output include/net/neighbour.h:523 [inline]\n neigh_output include/net/neighbour.h:537 [inline]\n ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236\n iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82\n udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173\n geneve_xmit_skb drivers/net/geneve.c:916 [inline]\n geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039\n __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n xmit_one net/core/dev.c:3590 [inline]\n dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606\n __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/cls_flow.c"], "versions": [{"version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe", "lessThan": "9858f4afeb2e59506e714176bd3e135539a3eeec", "status": "affected", "versionType": "git"}, {"version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe", "lessThan": "43658e4a5f2770ad94e93362885ff51c10cf3179", "status": "affected", "versionType": "git"}, {"version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe", "lessThan": "a313d6e6d5f3a631cae5a241c392c28868aa5c5e", "status": "affected", "versionType": "git"}, {"version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe", "lessThan": "2011749ca96460386844dfc7e0fde53ebee96f3c", "status": "affected", "versionType": "git"}, {"version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe", "lessThan": "e54beb9aed2a90dddf4c5d68fcfc9a01f3e40a61", "status": "affected", "versionType": "git"}, {"version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe", "lessThan": "6fde663f7321418996645ee602a473457640542f", "status": "affected", "versionType": "git"}, {"version": "e5dfb815181fcb186d6080ac3a091eadff2d98fe", "lessThan": "a039e54397c6a75b713b9ce7894a62e06956aa92", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/cls_flow.c"], "versions": [{"version": "2.6.25", "status": "affected"}, {"version": "0", "lessThan": "2.6.25", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.290", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.234", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.177", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.125", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.72", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.10", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/9858f4afeb2e59506e714176bd3e135539a3eeec"}, {"url": "https://git.kernel.org/stable/c/43658e4a5f2770ad94e93362885ff51c10cf3179"}, {"url": "https://git.kernel.org/stable/c/a313d6e6d5f3a631cae5a241c392c28868aa5c5e"}, {"url": "https://git.kernel.org/stable/c/2011749ca96460386844dfc7e0fde53ebee96f3c"}, {"url": "https://git.kernel.org/stable/c/e54beb9aed2a90dddf4c5d68fcfc9a01f3e40a61"}, {"url": "https://git.kernel.org/stable/c/6fde663f7321418996645ee602a473457640542f"}, {"url": "https://git.kernel.org/stable/c/a039e54397c6a75b713b9ce7894a62e06956aa92"}], "title": "net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute\n\nsyzbot found that TCA_FLOW_RSHIFT attribute was not validated.\nRight shitfing a 32bit integer is undefined for large shift values.\n\nUBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23\nshift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: ipv6_addrconf addrconf_dad_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468\n flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329\n tc_classify include/net/tc_wrapper.h:197 [inline]\n __tcf_classify net/sched/cls_api.c:1771 [inline]\n tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867\n sfb_classify net/sched/sch_sfb.c:260 [inline]\n sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318\n dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793\n __dev_xmit_skb net/core/dev.c:3889 [inline]\n __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400\n dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n neigh_hh_output include/net/neighbour.h:523 [inline]\n neigh_output include/net/neighbour.h:537 [inline]\n ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236\n iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82\n udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173\n geneve_xmit_skb drivers/net/geneve.c:916 [inline]\n geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039\n __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n xmit_one net/core/dev.c:3590 [inline]\n dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606\n __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net_sched: cls_flow: validar el atributo TCA_FLOW_RSHIFT syzbot encontr\u00f3 que el atributo TCA_FLOW_RSHIFT no estaba validado. El uso de un entero de 32 bits con valores de desplazamiento grandes no est\u00e1 definido. UBSAN: cambio fuera de los l\u00edmites en net/sched/cls_flow.c:329:23 El exponente de cambio 9445 es demasiado grande para el tipo de 32 bits 'u32' (tambi\u00e9n conocido como 'unsigned int') CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 No contaminado 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 13/09/2024 Cola de trabajo: ipv6_addrconf addrconf_dad_work Seguimiento de llamadas: __dump_stack lib/dump_stack.c:94 [en l\u00ednea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [en l\u00ednea] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 tc_classify include/net/tc_wrapper.h:197 [en l\u00ednea] __tcf_classify net/sched/cls_api.c:1771 [en l\u00ednea] tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 sfb_classify net/sched/sch_sfb.c:260 [en l\u00ednea] sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 __dev_xmit_skb net/core/dev.c:3889 [en l\u00ednea] __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [en l\u00ednea] neigh_hh_output include/net/neighbour.h:523 [en l\u00ednea] neigh_output include/net/neighbour.h:537 [en l\u00ednea] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 geneve_xmit_skb drivers/net/geneve.c:916 [en l\u00ednea] geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 __netdev_start_xmit include/linux/netdevice.h:5002 [en l\u00ednea] netdev_start_xmit include/linux/netdevice.h:5011 [en l\u00ednea] xmit_one net/core/dev.c:3590 [en l\u00ednea] dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 __dev_queue_xmit+0x1b73/0x3f50 red/n\u00facleo/dev.c:4434"}], "id": "CVE-2025-21653", "lastModified": "2025-02-02T11:15:15.557", "metrics": {}, "published": "2025-01-19T11:15:10.940", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2011749ca96460386844dfc7e0fde53ebee96f3c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/43658e4a5f2770ad94e93362885ff51c10cf3179"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6fde663f7321418996645ee602a473457640542f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9858f4afeb2e59506e714176bd3e135539a3eeec"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a039e54397c6a75b713b9ce7894a62e06956aa92"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a313d6e6d5f3a631cae5a241c392c28868aa5c5e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e54beb9aed2a90dddf4c5d68fcfc9a01f3e40a61"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute", "id": "2338817", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2338817"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute\nsyzbot found that TCA_FLOW_RSHIFT attribute was not validated.\nRight shitfing a 32bit integer is undefined for large shift values.\nUBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23\nshift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: ipv6_addrconf addrconf_dad_work\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\nubsan_epilogue lib/ubsan.c:231 [inline]\n__ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468\nflow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329\ntc_classify include/net/tc_wrapper.h:197 [inline]\n__tcf_classify net/sched/cls_api.c:1771 [inline]\ntcf_classify+0x420/0x1160 net/sched/cls_api.c:1867\nsfb_classify net/sched/sch_sfb.c:260 [inline]\nsfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318\ndev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793\n__dev_xmit_skb net/core/dev.c:3889 [inline]\n__dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400\ndev_queue_xmit include/linux/netdevice.h:3168 [inline]\nneigh_hh_output include/net/neighbour.h:523 [inline]\nneigh_output include/net/neighbour.h:537 [inline]\nip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236\niptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82\nudp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173\ngeneve_xmit_skb drivers/net/geneve.c:916 [inline]\ngeneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039\n__netdev_start_xmit include/linux/netdevice.h:5002 [inline]\nnetdev_start_xmit include/linux/netdevice.h:5011 [inline]\nxmit_one net/core/dev.c:3590 [inline]\ndev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606\n__dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434"], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module cls_flow from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2025-21653", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-01-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21653\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21653\nhttps://lore.kernel.org/linux-cve-announce/2025011947-CVE-2025-21653-b6c0@gregkh/T"], "statement": "If qdisc (or other packets filtering with cls_flow) being used, user can trigger ubsan_handle_shift_out_of_bounds (only with KASAN enabled and this incorrect shift could not be used for privileges escalation, but instead fail of this service itself that is deny of service). The security impact is limited.", "threat_severity": "Moderate"}