AI description
CVE-2025-21692 is an out-of-bounds indexing vulnerability within the Enhanced Transmission Selection (ETS) scheduler component of the Linux kernel. Discovered by Haowei Yan, the vulnerability occurs in the `etsclassfrom_arg()` function when it receives a class ID (clid) of 0, leading to an array-index-out-of-bounds error. The vulnerability affects Linux kernel versions from 5.6 through 6.13-rc7. The vulnerability exists in the `net/sched/sch_ets.c` file, where the `etsclassfromarg()` function can index an out-of-bounds class when passed a clid of 0. This can potentially allow a local attacker to escalate their privileges and gain unauthorized access to sensitive system resources.
- Description
- In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] <TASK> [ 18.858227] dump_stack_lvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 [ 18.864022] ets_class_change+0x3d6/0x3f0 [ 18.864322] tc_ctl_tclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutex_lock+0xa34/0xe70 [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 18.867503] netlink_rcv_skb+0x59/0x110 [ 18.867776] rtnetlink_rcv+0x15/0x30 [ 18.868159] netlink_unicast+0x1c3/0x2b0 [ 18.868440] netlink_sendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___sys_sendmsg+0x88/0xe0 [ 18.869276] ? rseq_ip_fixup+0x198/0x260 [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 [ 18.870547] ? do_syscall_64+0x93/0x150 [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 [ 18.871699] x64_sys_call+0x9e2/0x2670 [ 18.871979] do_syscall_64+0x87/0x150 [ 18.873280] ? do_syscall_64+0x93/0x150 [ 18.874742] ? lock_release+0x7b/0x160 [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 [ 18.879608] ? irqentry_exit+0x77/0xb0 [ 18.879808] ? clear_bhb_loop+0x15/0x70 [ 18.880023] ? clear_bhb_loop+0x15/0x70 [ 18.880223] ? clear_bhb_loop+0x15/0x70 [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] </TASK> [ 18.888610] ---[ end trace ]---
- Source
- 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- NVD status
- Analyzed
- Products
- linux_kernel
CVSS 3.1
- Type
- Primary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- nvd@nist.gov
- CWE-129
- Hype score
- Not currently trending
Ello, I recently wrote a writeup for CVE-2025-21692, an out of bounds access in the ETS qdisc, https://t.co/wmO4pudZrR. Was curious to see any corrections or feedback ppl may have as im not tremendously well versed in kernel exploitation and would love some pointers. Tq
@movx64
16 Sept 2025
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Proof of concept source code and misc files for my CVE-2025-21692 exploit, kernel version 6.6.75 https://t.co/YVN6i3JqmR
@Dinosn
16 Sept 2025
3973 Impressions
16 Retweets
60 Likes
28 Bookmarks
0 Replies
0 Quotes
GitHub - volticks/CVE-2025-21692-poc: Proof of concept source code and misc files for my CVE-2025-21692 exploit, kernel version 6.6.75 https://t.co/9Miq0vbr4b
@akaclandestine
15 Sept 2025
2746 Impressions
9 Retweets
26 Likes
18 Bookmarks
0 Replies
0 Quotes
GitHub - volticks/CVE-2025-21692-poc: Proof of concept source code and misc files for my CVE-2025-21692 exploit, kernel version 6.6.75 - https://t.co/IFkx3bUHKG
@piedpiper1616
15 Sept 2025
4387 Impressions
22 Retweets
66 Likes
29 Bookmarks
0 Replies
0 Quotes
π¨ CVE-2025-21692 β π’ Linux - Linux ποΈ dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 π https://t.co/f7C2dL0HV4 π https://t.co/KbXcTRx3IZ π https://t.co/npfS0ArzRW π https://t.co/ossSsM5XQg π https://t.co/Ja49ZI0wWy π https://t.co/ROGuvOA9mx #CyberCron #VulnAlert https://t.co/
@cybercronai
13 Feb 2025
23 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
π¨ CVE-2025-21692 β π’ Linux - Linux ποΈ dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 π https://t.co/f7C2dL0HV4 π https://t.co/KbXcTRx3IZ π https://t.co/npfS0ArzRW π https://t.co/ossSsM5XQg π https://t.co/Ja49ZI0wWy π https://t.co/ROGuvOA9mx #CyberCron #VulnAlert https://t.co/p
@cybercronai
10 Feb 2025
19 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DA6AE325-9EBC-47AE-B596-CA86A578FA40",
"versionEndExcluding": "5.10.234",
"versionStartIncluding": "5.6"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "171159A1-9827-4C7B-821D-55398B837C49",
"versionEndExcluding": "5.15.178",
"versionStartIncluding": "5.11"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "EDB5047C-0330-407A-BE1B-513B5BF304DE",
"versionEndExcluding": "6.1.128",
"versionStartIncluding": "5.16"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E8D39B53-7390-48BE-92FD-8846BE8E8430",
"versionEndExcluding": "6.6.75",
"versionStartIncluding": "6.2"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B04C243A-753B-49A9-87C7-92FCC1425FB7",
"versionEndExcluding": "6.12.12",
"versionStartIncluding": "6.7"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5A3F9505-6B98-4269-8B81-127E55A1BF00"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "034C36A6-C481-41F3-AE9A-D116E5BE6895"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5DFCDFB8-4FD0-465A-9076-D813D78FE51B"
}
],
"operator": "OR"
}
]
}
]