CVE-2025-21763: Linux Kernel Use-After-Free Vulnerability

CVE-2025-21763 Overview

CVE-2025-21763 is a use-after-free vulnerability [CWE-416] in the Linux kernel's networking neighbour subsystem. The flaw resides in the __neigh_notify() function, which could be called without RTNL (Routertable Netlink) lock or Read-Copy-Update (RCU) protection. The absence of synchronization permits concurrent access to freed memory structures, creating a use-after-free condition that local attackers can leverage. The fix introduces RCU protection around __neigh_notify() to prevent the unsafe access pattern. The vulnerability affects the mainline Linux kernel including release candidates 6.14:rc1 and 6.14:rc2, along with multiple stable branches addressed via backported commits.

Critical Impact
Local attackers with low privileges can exploit the use-after-free in __neigh_notify() to compromise kernel memory integrity, potentially escalating privileges or causing kernel-level denial of service.

Affected Products

Linux Kernel (multiple stable branches prior to fix commits)
Linux Kernel 6.14-rc1
Linux Kernel 6.14-rc2

Discovery Timeline

2025-02-27 - CVE-2025-21763 published to NVD
2026-05-12 - Last updated in NVD database

Technical Details for CVE-2025-21763

Vulnerability Analysis

The vulnerability resides in the kernel's neighbour subsystem, which manages Address Resolution Protocol (ARP) and Neighbor Discovery Protocol (NDP) entries for network neighbours. The __neigh_notify() function generates netlink notifications when neighbour table entries change state. Prior to the fix, the function could execute without holding either the RTNL mutex or RCU read-side lock. This permitted the underlying net_device or neighbour structures to be freed while __neigh_notify() still referenced them.

The defect is classified as a use-after-free [CWE-416]. Local users on the system can trigger network state transitions that invoke the unprotected notification path. Concurrent execution paths that release neighbour structures can free memory still in use by the notification routine.

Root Cause

The root cause is missing synchronization in the neighbour notification path. The kernel's RCU mechanism allows safe concurrent reads of data structures while writers can mark objects for deferred deletion. Without an RCU read-side critical section guarding __neigh_notify(), the function had no guarantee that pointers it dereferenced remained valid. The patches resolve this by wrapping the affected code paths with rcu_read_lock() and rcu_read_unlock() to ensure referenced objects persist for the duration of the notification.

Attack Vector

Exploitation requires local access with low privileges. An attacker triggers network activity that causes neighbour table updates, racing the notification path against neighbour structure teardown. Successful exploitation yields kernel memory corruption that can lead to privilege escalation, information disclosure, or system crash. The local attack vector limits remote exploitation but the impact on confidentiality, integrity, and availability is high.

No public proof-of-concept code has been published. See the Linux Kernel Commit Fixes for the upstream patch and additional technical context.

Detection Methods for CVE-2025-21763

Indicators of Compromise

Unexpected kernel oops or panic messages referencing neigh_notify, __neigh_notify, or the neighbour subsystem in dmesg output
KASAN (Kernel Address Sanitizer) reports flagging use-after-free in neighbour-related code paths on instrumented kernels
Abnormal kernel memory corruption events correlated with periods of high network state churn

Detection Strategies

Inventory running kernel versions across the fleet using uname -r and compare against fixed commit hashes provided by the distribution
Monitor host telemetry for unexpected privilege escalations originating from unprivileged local users
Audit kernel crash logs and core dumps for stack traces involving the neighbour subsystem

Monitoring Recommendations

Enable kernel crash dump collection (kdump) on production Linux systems to capture exploitation artifacts
Forward auditd and kernel logs to a centralized log platform for retrospective analysis of suspicious local activity
Track package update compliance for kernel security advisories from your Linux distribution

How to Mitigate CVE-2025-21763

Immediate Actions Required

Apply the vendor-supplied kernel update from your Linux distribution containing the upstream fixes
Prioritize patching multi-tenant systems and any host permitting untrusted local users
Reboot patched systems to load the corrected kernel, as live patching may not cover all affected code paths

Patch Information

The Linux kernel maintainers released fixes across multiple stable branches. The upstream commits implementing RCU protection in __neigh_notify() are tracked under commit hashes 1cbb2aa90cd3, 40d8f2f2a373, 559307d25235, 784eb2376270, 8666e9aab801, becbd5850c03, cdd5c2a12dda, and e1aed6be381b. Distribution-specific updates are available via the Debian LTS Announcement March 2025 and Debian LTS Announcement May 2025. Industrial users should consult the Siemens Security Advisory SSA-265688 for affected product guidance.

Workarounds

Restrict local access to trusted users only by reviewing accounts with shell access and reducing the attack surface
Disable unnecessary network interfaces and services that generate frequent neighbour table updates on critical systems
Apply mandatory access controls such as SELinux or AppArmor in enforcing mode to constrain local exploitation primitives

bash

# Configuration example: verify kernel version and apply distribution updates
uname -r

# Debian/Ubuntu
sudo apt update && sudo apt upgrade linux-image-$(uname -r | cut -d- -f3-)
sudo reboot

# RHEL/CentOS/Fedora
sudo dnf update kernel
sudo reboot