CVE-2025-21765 Overview
CVE-2025-21765 is a vulnerability in the Linux kernel's IPv6 networking stack where the ip6_default_advmss() function lacks proper RCU (Read-Copy-Update) protection. This missing synchronization mechanism can lead to a race condition where the network namespace structure being read may be freed while still in use, potentially causing a denial of service condition through kernel crashes or system instability.
Critical Impact
Local attackers with low privileges can exploit this race condition to cause system denial of service by triggering use-after-free scenarios in the kernel's IPv6 networking subsystem.
Affected Products
- Linux Kernel (multiple versions)
- Linux Kernel 6.14-rc1
- Linux Kernel 6.14-rc2
Discovery Timeline
- February 27, 2025 - CVE-2025-21765 published to NVD
- November 03, 2025 - Last updated in NVD database
Technical Details for CVE-2025-21765
Vulnerability Analysis
This vulnerability exists in the Linux kernel's IPv6 implementation, specifically within the ip6_default_advmss() function. The function is responsible for calculating the default advertised Maximum Segment Size (MSS) for IPv6 connections. The core issue is that this function accesses the network namespace (net) structure without proper RCU (Read-Copy-Update) protection.
RCU is a synchronization mechanism used extensively in the Linux kernel to allow concurrent read access to shared data structures while updates are being made. Without proper RCU protection, there is a race condition where the net structure could be freed by another thread while ip6_default_advmss() is still reading from it.
Root Cause
The root cause is a missing RCU read-side critical section in the ip6_default_advmss() function. When the kernel accesses network namespace structures, it must use rcu_read_lock() and rcu_read_unlock() to ensure the structure remains valid during access. The absence of these RCU primitives creates a window where the network namespace can be destroyed while the function is still referencing it, leading to use-after-free or null pointer dereference conditions.
Attack Vector
The vulnerability requires local access to exploit. An attacker with low-level privileges on the system could potentially trigger this race condition by:
- Creating and manipulating network namespaces to increase race condition timing windows
- Generating IPv6 network traffic that invokes the ip6_default_advmss() function
- Rapidly creating and destroying network namespaces while IPv6 operations are in progress
Successful exploitation results in a kernel panic or system crash, causing denial of service. The attack does not require user interaction and can affect system availability.
The fix involves wrapping the network namespace access in ip6_default_advmss() with proper rcu_read_lock() and rcu_read_unlock() calls to ensure the net structure remains valid throughout the function's execution.
Detection Methods for CVE-2025-21765
Indicators of Compromise
- Unexpected kernel panics or system crashes with stack traces referencing ip6_default_advmss() or IPv6 networking code
- Kernel oops messages in system logs (/var/log/kern.log or dmesg) related to network namespace operations
- System instability when creating or destroying network namespaces with active IPv6 traffic
Detection Strategies
- Monitor kernel logs for stack traces containing ip6_default_advmss, ip6_dst_ops, or related IPv6 routing functions
- Implement kernel crash monitoring using tools like kdump or crash to capture and analyze kernel crashes
- Deploy system monitoring to detect unexpected reboots or kernel panic events, particularly on systems with heavy IPv6 usage
Monitoring Recommendations
- Enable kernel auditing for network namespace creation and destruction events
- Configure system health monitoring to alert on kernel panic occurrences
- Review /var/log/messages and /var/log/syslog for RCU-related warnings or network namespace errors
- Use SentinelOne's Linux agent to monitor for system anomalies and potential exploitation attempts
How to Mitigate CVE-2025-21765
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the RCU protection fix
- Review and apply vendor-specific security updates from your Linux distribution
- For Debian-based systems, apply updates referenced in the Debian LTS Announcement March 2025 and Debian LTS Announcement May 2025
- Prioritize patching systems with active IPv6 networking and network namespace usage
Patch Information
The Linux kernel development team has released patches to address this vulnerability across multiple stable kernel branches. The fix adds proper RCU protection to the ip6_default_advmss() function to prevent the race condition.
Official patches are available from the following kernel commits:
- Kernel Commit 28de355b
- Kernel Commit 3c8ffcd2
- Kernel Commit 4176a68b
- Kernel Commit 550ed693
- Kernel Commit 713a40c8
- Kernel Commit 78ad0574
- Kernel Commit 84212387
- Kernel Commit d02f30d2
Workarounds
- Limit network namespace creation privileges to trusted administrators only
- If IPv6 is not required, consider disabling IPv6 temporarily by setting net.ipv6.conf.all.disable_ipv6=1 via sysctl
- Restrict local user access on systems where patching cannot be immediately performed
# Temporary workaround: Disable IPv6 if not required
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
# Make persistent across reboots (add to /etc/sysctl.conf)
echo "net.ipv6.conf.all.disable_ipv6=1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6=1" | sudo tee -a /etc/sysctl.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
