CVE-2025-21690 Overview
CVE-2025-21690 is a Denial of Service vulnerability in the Linux kernel's storvsc SCSI driver. The vulnerability exists due to improper resource allocation without limits (CWE-770) in the logging mechanism of the storvsc driver, which handles SCSI operations for Hyper-V virtual machines. When a persistent error occurs in the hypervisor, the SCSI warning messages for failed I/O operations can flood the kernel log and consume excessive CPU resources, effectively preventing administrators from troubleshooting the virtual machine.
Critical Impact
Local attackers with low privileges can trigger excessive kernel log messages that max out CPU utilization, causing denial of service and preventing VM troubleshooting capabilities.
Affected Products
- Linux Kernel versions prior to patched releases
- Linux Kernel 6.13 (including release candidates rc1 through rc7)
- Hyper-V virtual machines running affected kernel versions
Discovery Timeline
- February 10, 2025 - CVE-2025-21690 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-21690
Vulnerability Analysis
The vulnerability resides in the storvsc driver, which is responsible for handling SCSI storage operations in Linux virtual machines running on Microsoft Hyper-V. When the hypervisor encounters a persistent error condition, the driver generates warning messages for each failed I/O operation. Without rate limiting on these warning logs, a sustained error condition causes the kernel to generate log messages at an extremely high rate.
This unconstrained logging behavior leads to two significant problems: first, the kernel log buffer fills rapidly with repetitive warning messages, making it impossible to identify and troubleshoot the root cause of issues; second, the CPU cycles consumed by the logging operations can reach levels that effectively render the virtual machine unresponsive.
Root Cause
The root cause of this vulnerability is the absence of rate limiting on SCSI warning log messages in the storvsc driver. The driver was designed to output warning messages for failed I/O operations, which is useful for debugging under normal circumstances. However, the implementation did not account for scenarios where persistent hypervisor errors could generate a continuous stream of failed I/O operations, each triggering a new warning message without any throttling mechanism.
This represents a CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerability, where the logging subsystem allocates resources (CPU time, log buffer space) without appropriate constraints.
Attack Vector
The attack vector is local, requiring an attacker to have low-privilege access to the affected virtual machine. An attacker could potentially trigger this condition by:
- Inducing persistent I/O errors through malformed storage requests
- Exploiting conditions that cause the hypervisor to report continuous storage failures
- Creating scenarios where the storvsc driver enters a failure loop
The fix implements rate limiting on the warning messages using the kernel's printk_ratelimit() mechanism or similar rate-limiting functionality, ensuring that even during persistent error conditions, the logging does not consume excessive system resources.
Detection Methods for CVE-2025-21690
Indicators of Compromise
- Excessive SCSI-related warning messages in /var/log/kern.log or dmesg output
- Unusually high CPU utilization attributed to kernel logging operations
- Virtual machine becoming unresponsive or sluggish during storage error conditions
- Log files growing rapidly with repetitive storvsc driver warnings
Detection Strategies
- Monitor kernel log message rates for storvsc driver entries using log aggregation tools
- Configure alerts for sudden spikes in kernel message volume from storage subsystems
- Implement system monitoring to detect abnormal CPU usage patterns in kernel space
- Use SentinelOne's Linux agent to detect anomalous system behavior indicative of DoS conditions
Monitoring Recommendations
- Enable centralized logging with rate-based anomaly detection for kernel messages
- Set up monitoring thresholds for CPU utilization that could indicate log flooding
- Review storvsc driver activity in Hyper-V environments during routine security audits
- Deploy endpoint detection solutions capable of identifying resource exhaustion attacks
How to Mitigate CVE-2025-21690
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the rate-limiting fix
- For Debian-based systems, review the Debian LTS Announcement for available patches
- Consider temporarily reducing log verbosity for storvsc driver if immediate patching is not possible
- Monitor affected systems for signs of exploitation until patches are applied
Patch Information
The Linux kernel maintainers have released patches across multiple stable kernel branches. The fix implements rate limiting on the warning messages to prevent the denial of service condition. The following kernel commits contain the fix:
- Kernel Git Commit 01d1ebda
- Kernel Git Commit 088bde86
- Kernel Git Commit 182a4b7c
- Kernel Git Commit 81d4dd05
- Kernel Git Commit d0f0af1b
- Kernel Git Commit d2138eab
Workarounds
- Implement external log rate limiting using syslog configuration (e.g., rsyslog rate limiting)
- Configure log rotation with aggressive retention policies to prevent disk exhaustion
- Use kernel boot parameters to reduce overall kernel log verbosity as a temporary measure
- Isolate affected VMs and monitor closely until patching is completed
# Example rsyslog rate limiting configuration
# Add to /etc/rsyslog.conf to limit kernel message rates
$SystemLogRateLimitInterval 5
$SystemLogRateLimitBurst 500
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
