CVE-2025-21692 Overview
CVE-2025-21692 is an out-of-bounds indexing vulnerability in the Linux kernel's Enhanced Transmission Selection (ETS) qdisc network scheduler component. The vulnerability exists in the ets_class_from_arg() function within net/sched/sch_ets.c, which fails to properly validate the class ID (clid) parameter. When a clid value of 0 is passed, it results in an array index underflow, causing the function to access memory outside the bounds of the ets_class array.
Critical Impact
Local attackers with limited privileges can exploit this out-of-bounds array access to potentially achieve local privilege escalation on affected Linux systems.
Affected Products
- Linux Kernel versions 5.10.x through 5.10.233 (prior to fix)
- Linux Kernel versions 5.15.x through 6.12.x (various branches)
- Linux Kernel version 6.13 release candidates (rc1 through rc7)
Discovery Timeline
- 2025-02-10 - CVE CVE-2025-21692 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-21692
Vulnerability Analysis
This vulnerability is classified as CWE-129 (Improper Validation of Array Index). The ETS qdisc is a network traffic control mechanism that allows administrators to configure traffic class prioritization. The vulnerability occurs when the ets_class_from_arg() function receives an invalid class identifier of 0, which when processed causes an array index calculation that results in an extremely large negative value (-1, represented as 18446744073709551615 in unsigned 64-bit representation).
The UBSAN (Undefined Behavior Sanitizer) error message captured during exploitation attempts clearly shows the array index overflow: "index 18446744073709551615 is out of range for type 'ets_class [16]'". This indicates the array only has 16 elements, but the calculated index wraps around to an astronomically large value due to integer underflow.
Root Cause
The root cause is insufficient input validation in the ets_class_from_arg() function. When processing traffic control class operations via netlink messages, the function fails to verify that the provided clid parameter is within valid bounds before using it as an array index. Specifically, passing a clid value of 0 causes the function to calculate an invalid array offset, leading to out-of-bounds memory access.
The call chain begins when a user sends a netlink message through sendmsg() syscall, which is processed through rtnetlink_rcv_msg() → tc_ctl_tclass() → ets_class_change(), ultimately reaching the vulnerable ets_class_from_arg() function at line 93 of sch_ets.c.
Attack Vector
The vulnerability requires local access and can be triggered by a low-privileged user with the ability to send netlink messages to configure traffic control settings. The attacker crafts a malicious netlink message with a clid parameter set to 0, which when processed by the kernel's traffic control subsystem causes the out-of-bounds array access.
The attack path involves:
- Opening a netlink socket for rtnetlink communication
- Constructing a TC_CTL_TCLASS netlink message with clid=0
- Sending the message via sendmsg() syscall
- The kernel processes the message and triggers the OOB access
Since the vulnerability allows reading or writing to arbitrary kernel memory locations relative to the ets_class array base, successful exploitation could lead to information disclosure, kernel memory corruption, or privilege escalation depending on what memory is accessed.
Detection Methods for CVE-2025-21692
Indicators of Compromise
- UBSAN kernel log messages indicating "array-index-out-of-bounds in net/sched/sch_ets.c"
- Unusual netlink traffic control configuration attempts from non-root users
- Kernel crash dumps or oops messages referencing ets_class_change() or ets_class_from_arg() functions
- Processes named "poc" or suspicious binaries attempting traffic control operations
Detection Strategies
- Enable UBSAN (Undefined Behavior Sanitizer) in kernel builds to catch array bounds violations at runtime
- Monitor audit logs for sendmsg syscalls targeting netlink sockets with traffic control operations
- Deploy kernel runtime integrity monitoring to detect unauthorized memory access patterns
- Implement system call filtering using seccomp to restrict netlink traffic control operations for unprivileged processes
Monitoring Recommendations
- Configure syslog aggregation to alert on UBSAN and kernel warning messages containing "sch_ets" references
- Use endpoint detection solutions to monitor for unusual traffic control configuration activity
- Enable kernel tracing on tc_ctl_tclass function to identify exploitation attempts
- Audit user processes attempting to interact with traffic control subsystems
How to Mitigate CVE-2025-21692
Immediate Actions Required
- Apply the official kernel patches from the Linux kernel stable branches immediately
- Restrict netlink socket access to trusted administrators using network namespaces or capability controls
- Consider disabling the ETS qdisc module (sch_ets) if not actively used in your environment
- Enable UBSAN in development and testing environments to catch similar issues
Patch Information
Multiple patches have been released across different Linux kernel stable branches to address this vulnerability. The fix adds proper validation of the clid parameter in ets_class_from_arg() to ensure it falls within valid bounds before being used as an array index.
Official patches are available from the following kernel commits:
- Kernel commit 03c56665dab1
- Kernel commit 1332c6ed446b
- Kernel commit 997f6ec4208b
- Kernel commit bcf0d815e728
- Kernel commit d62b04fca434
- Kernel commit f4168299e553
- Kernel commit f6b0f05fbfa4
Debian users should refer to the Debian LTS security announcements for distribution-specific package updates.
Workarounds
- Remove or blacklist the sch_ets kernel module if ETS qdisc functionality is not required: echo "blacklist sch_ets" >> /etc/modprobe.d/blacklist-sch_ets.conf
- Use network namespaces to isolate untrusted processes from traffic control capabilities
- Implement SELinux or AppArmor policies to restrict netlink socket operations for non-privileged applications
- Deploy capability-based access controls to limit CAP_NET_ADMIN to trusted processes only
# Blacklist the sch_ets module to prevent loading
echo "blacklist sch_ets" | sudo tee /etc/modprobe.d/blacklist-sch_ets.conf
# Unload the module if currently loaded
sudo modprobe -r sch_ets
# Verify module is not loaded
lsmod | grep sch_ets
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
