CVE-2025-21664 Overview
CVE-2025-21664 is a race condition vulnerability in the Linux kernel's device-mapper thin provisioning (dm-thin) subsystem. The flaw resides in the get_first_thin() function, which uses a non-RCU-safe sequence of list_empty() followed by list_first() on the active_thins list. Each call performs its own READ_ONCE() of the list head, allowing the list state to change between the two operations. When the last thin_c entry is removed by thin_dtr at the wrong moment, dereferencing the resulting list head produces an invalid thin_c pointer and triggers a general protection fault in process_deferred_bios. Local attackers with low privileges can trigger this condition to crash the kernel.
Critical Impact
A local user with permissions to create and destroy thin-provisioned devices can trigger a kernel general protection fault, resulting in system denial of service.
Affected Products
- Linux Kernel versions starting at 3.15
- Linux Kernel 6.13 release candidates (rc1 through rc6)
- Distributions tracking stable kernel branches, including Debian LTS and Siemens products referenced in SSA-265688
Discovery Timeline
- 2025-01-21 - CVE-2025-21664 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2025-21664
Vulnerability Analysis
The vulnerability is a kernel race condition [CWE-362-class] in the dm-thin target. The get_first_thin() helper iterates the active_thins RCU-protected list to acquire a reference on the first thin device for deferred bio processing. The original implementation performed list_empty() and then list_first_entry() as two independent reads of the list head. Between the two reads, a concurrent thin_dtr (destructor) running on another CPU can remove the last entry from active_thins, leaving the list pointing to itself.
When this race wins, get_first_thin() observes a non-empty list and then dereferences a pointer that no longer references a valid thin_c structure. Instead, it interprets bytes inside the parent struct pool as a thin_c, producing corrupted reference counts and out-of-bounds memory access. Observed symptoms in production crash dumps included refcount_t saturation warnings, a UBSAN out-of-bounds report against the queued spinlock cpuid access, and a final general protection fault.
Root Cause
The root cause is incorrect use of RCU list primitives. The rculist.h documentation explicitly warns against composing list_empty() with list_first() because each performs its own READ_ONCE() of the list head, producing torn views of the list state under concurrent modification.
Attack Vector
Exploitation requires local access with privileges to create, suspend, and destroy thin-provisioned dm-thin devices. An attacker triggers concurrent thin_dtr operations against the active thins list while deferred bio processing is in flight. The resulting kernel fault halts the affected system. The attack vector is local and the impact is limited to availability.
The vulnerability is described in prose because no exploit code is required to trigger the underlying race; repeated create/destroy cycles against thin volumes under I/O load are sufficient. See the kernel commit log for the upstream fix.
Detection Methods for CVE-2025-21664
Indicators of Compromise
- Kernel oops or general protection fault entries in dmesg referencing process_deferred_bios or get_first_thin in the call trace
- refcount_t: saturated warnings emitted from the dm-thin code path
- UBSAN reports of out-of-bounds cpuid access inside queued spinlock routines preceding a crash
Detection Strategies
- Monitor host crash dumps and kdump artifacts for stack traces involving dm-thin, thin_dtr, and synchronize_rcu
- Correlate kernel panic events with concurrent device-mapper administrative activity such as dmsetup remove or LVM thin pool teardown
- Track running kernel versions across the fleet and flag hosts on vulnerable stable branches still using thin provisioning
Monitoring Recommendations
- Forward /var/log/kern.log and journalctl -k output to a centralized log platform for alerting on BUG:, Oops:, and WARNING: events tied to dm-thin
- Alert on unexpected reboots of hosts running thin-provisioned LVM volumes or container storage backends that rely on dm-thin
- Audit which workloads use dm-thin and prioritize patching on storage-heavy nodes
How to Mitigate CVE-2025-21664
Immediate Actions Required
- Apply the stable kernel update that switches get_first_thin() to list_first_or_null_rcu() from your distribution vendor
- Inventory hosts running kernels 3.15 through the 6.13 release candidates and prioritize those using dm-thin thin provisioning
- Restrict access to device-mapper administrative interfaces so only trusted operators can create or destroy thin devices
Patch Information
Upstream fixes are tracked in multiple stable branches. The patch replaces the racy list_empty() + list_first() sequence with a single list_first_or_null_rcu() call. Reference commits include 12771050b6d0, 6b305e98de0d, 802666a40c71, 80f130bfad1d, cbd0d5ecfa39, cd30a3960433, and ec037fe8c0d0. Distribution updates are available via the Debian LTS announcement and Siemens advisory SSA-265688.
Workarounds
- Avoid concurrent destruction of thin devices while deferred bio processing is active on heavily loaded thin pools
- Where feasible, migrate critical workloads off dm-thin to alternative storage backends until patches are deployed
- Limit local shell and root-equivalent access on systems that cannot be patched immediately to reduce exposure
# Verify the running kernel version and check for the dm-thin module
uname -r
lsmod | grep dm_thin_pool
# After patching, reboot and confirm the new kernel is active
sudo apt-get update && sudo apt-get install --only-upgrade linux-image-$(uname -r | sed 's/.*-//')
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
