CVE-2025-21763 Overview
CVE-2025-21763 is a use-after-free vulnerability [CWE-416] in the Linux kernel's networking neighbour subsystem. The flaw resides in the __neigh_notify() function, which could be called without RTNL (Routertable Netlink) lock or Read-Copy-Update (RCU) protection. The absence of synchronization permits concurrent access to freed memory structures, creating a use-after-free condition that local attackers can leverage. The fix introduces RCU protection around __neigh_notify() to prevent the unsafe access pattern. The vulnerability affects the mainline Linux kernel including release candidates 6.14:rc1 and 6.14:rc2, along with multiple stable branches addressed via backported commits.
Critical Impact
Local attackers with low privileges can exploit the use-after-free in __neigh_notify() to compromise kernel memory integrity, potentially escalating privileges or causing kernel-level denial of service.
Affected Products
- Linux Kernel (multiple stable branches prior to fix commits)
- Linux Kernel 6.14-rc1
- Linux Kernel 6.14-rc2
Discovery Timeline
- 2025-02-27 - CVE-2025-21763 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2025-21763
Vulnerability Analysis
The vulnerability resides in the kernel's neighbour subsystem, which manages Address Resolution Protocol (ARP) and Neighbor Discovery Protocol (NDP) entries for network neighbours. The __neigh_notify() function generates netlink notifications when neighbour table entries change state. Prior to the fix, the function could execute without holding either the RTNL mutex or RCU read-side lock. This permitted the underlying net_device or neighbour structures to be freed while __neigh_notify() still referenced them.
The defect is classified as a use-after-free [CWE-416]. Local users on the system can trigger network state transitions that invoke the unprotected notification path. Concurrent execution paths that release neighbour structures can free memory still in use by the notification routine.
Root Cause
The root cause is missing synchronization in the neighbour notification path. The kernel's RCU mechanism allows safe concurrent reads of data structures while writers can mark objects for deferred deletion. Without an RCU read-side critical section guarding __neigh_notify(), the function had no guarantee that pointers it dereferenced remained valid. The patches resolve this by wrapping the affected code paths with rcu_read_lock() and rcu_read_unlock() to ensure referenced objects persist for the duration of the notification.
Attack Vector
Exploitation requires local access with low privileges. An attacker triggers network activity that causes neighbour table updates, racing the notification path against neighbour structure teardown. Successful exploitation yields kernel memory corruption that can lead to privilege escalation, information disclosure, or system crash. The local attack vector limits remote exploitation but the impact on confidentiality, integrity, and availability is high.
No public proof-of-concept code has been published. See the Linux Kernel Commit Fixes for the upstream patch and additional technical context.
Detection Methods for CVE-2025-21763
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing neigh_notify, __neigh_notify, or the neighbour subsystem in dmesg output
- KASAN (Kernel Address Sanitizer) reports flagging use-after-free in neighbour-related code paths on instrumented kernels
- Abnormal kernel memory corruption events correlated with periods of high network state churn
Detection Strategies
- Inventory running kernel versions across the fleet using uname -r and compare against fixed commit hashes provided by the distribution
- Monitor host telemetry for unexpected privilege escalations originating from unprivileged local users
- Audit kernel crash logs and core dumps for stack traces involving the neighbour subsystem
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) on production Linux systems to capture exploitation artifacts
- Forward auditd and kernel logs to a centralized log platform for retrospective analysis of suspicious local activity
- Track package update compliance for kernel security advisories from your Linux distribution
How to Mitigate CVE-2025-21763
Immediate Actions Required
- Apply the vendor-supplied kernel update from your Linux distribution containing the upstream fixes
- Prioritize patching multi-tenant systems and any host permitting untrusted local users
- Reboot patched systems to load the corrected kernel, as live patching may not cover all affected code paths
Patch Information
The Linux kernel maintainers released fixes across multiple stable branches. The upstream commits implementing RCU protection in __neigh_notify() are tracked under commit hashes 1cbb2aa90cd3, 40d8f2f2a373, 559307d25235, 784eb2376270, 8666e9aab801, becbd5850c03, cdd5c2a12dda, and e1aed6be381b. Distribution-specific updates are available via the Debian LTS Announcement March 2025 and Debian LTS Announcement May 2025. Industrial users should consult the Siemens Security Advisory SSA-265688 for affected product guidance.
Workarounds
- Restrict local access to trusted users only by reviewing accounts with shell access and reducing the attack surface
- Disable unnecessary network interfaces and services that generate frequent neighbour table updates on critical systems
- Apply mandatory access controls such as SELinux or AppArmor in enforcing mode to constrain local exploitation primitives
# Configuration example: verify kernel version and apply distribution updates
uname -r
# Debian/Ubuntu
sudo apt update && sudo apt upgrade linux-image-$(uname -r | cut -d- -f3-)
sudo reboot
# RHEL/CentOS/Fedora
sudo dnf update kernel
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
