CVE-2025-21700 Overview
CVE-2025-21700 is a Use-After-Free (UAF) vulnerability in the Linux kernel's network traffic control (tc) scheduler subsystem. The vulnerability exists in the qdisc (queuing discipline) handling code, specifically when replacing a child qdisc from one parent to another. This flaw allows a local attacker with low privileges to trigger a UAF condition that can be exploited for privilege escalation.
The vulnerability was discovered by Lion Ackermann, who demonstrated that by manipulating the traffic control configuration through a specific sequence of tc commands, an attacker could create a scenario where a qdisc object is referenced by multiple parent classes simultaneously. When one of these classes is deleted, the qdisc object is freed while still being referenced by other classes, leading to a classic use-after-free condition.
Critical Impact
Local privilege escalation vulnerability allowing unprivileged users to gain root access through kernel memory corruption via the traffic control subsystem.
Affected Products
- Linux Kernel (multiple versions)
- Debian-based distributions using affected kernel versions
- Linux distributions with traffic control (tc/iproute2) utilities enabled
Discovery Timeline
- February 13, 2025 - CVE-2025-21700 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-21700
Vulnerability Analysis
This vulnerability (CWE-416: Use After Free) resides in the Linux kernel's traffic control scheduler implementation. The root cause is an improper handling of qdisc replacement operations that allows a child qdisc to be moved between different parent classes.
The attack requires local access and exploits a logic flaw in how the kernel processes tc qdisc replace commands. The intended semantics of the "replace" operation is to delete and add a qdisc on the same node. However, the vulnerable code allows an attacker to effectively delete a qdisc from one node (original parent) and add it to another node (new parent), creating a dangling reference scenario.
When exploited, this results in a qdisc object being referenced by multiple parent classes with an artificially inflated reference count. Subsequent deletion of one of these parent classes triggers the use-after-free condition, as the qdisc is freed while still being accessible through the remaining parent reference.
Root Cause
The vulnerability stems from insufficient validation in the qdisc replacement logic. When a tc qdisc replace command is issued, the kernel fails to verify whether the target qdisc is already attached to a different parent. This allows an attacker to create a configuration where:
- A qdisc (e.g., handle 4:0) is attached to one parent class (e.g., 3:1)
- The same qdisc handle is "replaced" onto a different parent class (e.g., 1:3)
- The qdisc ends up being referenced by both parent classes simultaneously
- The reference count is incorrectly incremented, leading to memory management issues
Attack Vector
The attack is executed locally through the tc (traffic control) utility from the iproute2 package. The attacker must have permissions to configure network queuing disciplines, which typically requires CAP_NET_ADMIN capability or root privileges in the network namespace.
The exploitation follows a multi-step process:
- Create a root DRR (Deficit Round Robin) qdisc on a network interface
- Create multiple child classes under the root qdisc
- Attach nested qdiscs to these classes, establishing a hierarchy
- Issue a tc qdisc replace command targeting an existing qdisc handle but specifying a different parent class
- This creates a dual-reference scenario where the qdisc is associated with multiple parents
- Send network traffic to populate the queues
- Delete one of the parent classes, triggering the UAF when the qdisc is freed prematurely
- Exploit the dangling pointer for privilege escalation
Detection Methods for CVE-2025-21700
Indicators of Compromise
- Unusual or excessive tc command executions, particularly tc qdisc replace operations
- Kernel log messages related to qdisc reference count anomalies or memory corruption
- Unexpected kernel crashes or panics related to the net/sched subsystem
- Processes running with elevated privileges that originated from unprivileged user accounts
Detection Strategies
- Monitor for tc qdisc replace commands that reference existing qdisc handles with different parent specifications
- Implement audit rules for CAP_NET_ADMIN capability usage by non-administrative users
- Use kernel tracing (ftrace/eBPF) to monitor qdisc_graft and related functions for anomalous behavior
- Deploy endpoint detection solutions capable of identifying privilege escalation attempts via kernel exploits
Monitoring Recommendations
- Enable audit logging for all traffic control (tc) command executions with auditctl -a always,exit -F arch=b64 -S socket -S bind -F exe=/sbin/tc
- Configure kernel crash dump collection to capture evidence of exploitation attempts
- Monitor for unusual network namespace creation and configuration activities
- Implement real-time alerting for unexpected privilege elevation events
How to Mitigate CVE-2025-21700
Immediate Actions Required
- Apply the latest kernel security patches from your Linux distribution vendor
- Restrict CAP_NET_ADMIN capability to only essential administrative accounts
- Audit existing qdisc configurations for any suspicious or unnecessarily complex hierarchies
- Consider temporarily restricting access to the tc utility for non-root users if patching is delayed
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix implements validation logic that disallows replacing a child qdisc from one parent to another, enforcing the correct semantics where replacement operations must occur on the same node.
Official patches are available through the following kernel git commits:
- Kernel Commit 38646749
- Kernel Commit 46c59ec3
- Kernel Commit 73c7e1d6
- Kernel Commit 7e2bd8c1
- Kernel Commit bc50835e
- Kernel Commit cd796e26
- Kernel Commit deda09c0
- Kernel Commit fe18c21d
Debian users should refer to the Debian LTS Announcement March 2025 and Debian LTS Announcement May 2025 for distribution-specific updates.
Workarounds
- Restrict access to traffic control utilities by modifying file permissions on /sbin/tc
- Use SELinux or AppArmor policies to limit which processes can execute qdisc configuration commands
- Disable or unload unnecessary network scheduler modules if the functionality is not required
- Implement network namespace isolation to contain potential exploitation attempts
# Restrict tc utility access to root only
chmod 750 /sbin/tc
chown root:root /sbin/tc
# Add audit rule to monitor tc usage
auditctl -a always,exit -F arch=b64 -F path=/sbin/tc -F perm=x -k tc_usage
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
