VULNERABILITY

Ubuntu: (Multiple Advisories) (CVE-2025-21700): Linux kernel vulnerabilities

Try Surface Command Get a continuous 360° view of your attack surface

Back to Search

Ubuntu: (Multiple Advisories) (CVE-2025-21700): Linux kernel vulnerabilities

Severity

CVSS

(AV:L/AC:L/Au:S/C:C/I:C/A:C)

Published

02/13/2025

Created

04/11/2025

Added

04/10/2025

Modified

05/29/2025

Description

In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec@gmail.com>

Solution(s)

ubuntu-upgrade-linux-image-4-15-0-1134-fips
ubuntu-upgrade-linux-image-4-15-0-1141-oracle
ubuntu-upgrade-linux-image-4-15-0-1162-kvm
ubuntu-upgrade-linux-image-4-15-0-1172-gcp
ubuntu-upgrade-linux-image-4-15-0-1179-aws
ubuntu-upgrade-linux-image-4-15-0-1187-azure
ubuntu-upgrade-linux-image-4-15-0-2080-gcp-fips
ubuntu-upgrade-linux-image-4-15-0-2096-azure-fips
ubuntu-upgrade-linux-image-4-15-0-2117-aws-fips
ubuntu-upgrade-linux-image-4-15-0-236-generic
ubuntu-upgrade-linux-image-4-15-0-236-lowlatency
ubuntu-upgrade-linux-image-4-4-0-1112-fips
ubuntu-upgrade-linux-image-4-4-0-1142-aws
ubuntu-upgrade-linux-image-4-4-0-1143-kvm
ubuntu-upgrade-linux-image-4-4-0-1180-aws
ubuntu-upgrade-linux-image-4-4-0-267-generic
ubuntu-upgrade-linux-image-4-4-0-267-lowlatency
ubuntu-upgrade-linux-image-5-15-0-1023-nvidia-tegra-igx
ubuntu-upgrade-linux-image-5-15-0-1023-nvidia-tegra-igx-rt
ubuntu-upgrade-linux-image-5-15-0-1035-nvidia-tegra
ubuntu-upgrade-linux-image-5-15-0-1035-nvidia-tegra-rt
ubuntu-upgrade-linux-image-5-15-0-1046-xilinx-zynqmp
ubuntu-upgrade-linux-image-5-15-0-1064-gkeop
ubuntu-upgrade-linux-image-5-15-0-1074-ibm
ubuntu-upgrade-linux-image-5-15-0-1075-intel-iot-realtime
ubuntu-upgrade-linux-image-5-15-0-1076-nvidia
ubuntu-upgrade-linux-image-5-15-0-1076-nvidia-lowlatency
ubuntu-upgrade-linux-image-5-15-0-1076-raspi
ubuntu-upgrade-linux-image-5-15-0-1077-intel-iotg
ubuntu-upgrade-linux-image-5-15-0-1078-kvm
ubuntu-upgrade-linux-image-5-15-0-1079-gke
ubuntu-upgrade-linux-image-5-15-0-1079-oracle
ubuntu-upgrade-linux-image-5-15-0-1081-gcp
ubuntu-upgrade-linux-image-5-15-0-1081-gcp-fips
ubuntu-upgrade-linux-image-5-15-0-1082-aws
ubuntu-upgrade-linux-image-5-15-0-1082-aws-fips
ubuntu-upgrade-linux-image-5-15-0-1082-realtime
ubuntu-upgrade-linux-image-5-15-0-1087-azure
ubuntu-upgrade-linux-image-5-15-0-1087-azure-fde
ubuntu-upgrade-linux-image-5-15-0-1087-azure-fips
ubuntu-upgrade-linux-image-5-15-0-138-fips
ubuntu-upgrade-linux-image-5-15-0-138-generic
ubuntu-upgrade-linux-image-5-15-0-138-generic-64k
ubuntu-upgrade-linux-image-5-15-0-138-generic-lpae
ubuntu-upgrade-linux-image-5-15-0-138-lowlatency
ubuntu-upgrade-linux-image-5-15-0-138-lowlatency-64k
ubuntu-upgrade-linux-image-5-4-0-1049-iot
ubuntu-upgrade-linux-image-5-4-0-1062-xilinx-zynqmp
ubuntu-upgrade-linux-image-5-4-0-1090-ibm
ubuntu-upgrade-linux-image-5-4-0-1103-bluefield
ubuntu-upgrade-linux-image-5-4-0-1118-fips
ubuntu-upgrade-linux-image-5-4-0-1129-raspi
ubuntu-upgrade-linux-image-5-4-0-1131-kvm
ubuntu-upgrade-linux-image-5-4-0-1142-oracle
ubuntu-upgrade-linux-image-5-4-0-1144-aws
ubuntu-upgrade-linux-image-5-4-0-1144-aws-fips
ubuntu-upgrade-linux-image-5-4-0-1147-gcp
ubuntu-upgrade-linux-image-5-4-0-1147-gcp-fips
ubuntu-upgrade-linux-image-5-4-0-1149-azure
ubuntu-upgrade-linux-image-5-4-0-1149-azure-fips
ubuntu-upgrade-linux-image-5-4-0-214-generic
ubuntu-upgrade-linux-image-5-4-0-214-generic-lpae
ubuntu-upgrade-linux-image-5-4-0-214-lowlatency
ubuntu-upgrade-linux-image-6-11-0-1008-realtime
ubuntu-upgrade-linux-image-6-11-0-1011-raspi
ubuntu-upgrade-linux-image-6-11-0-1012-aws
ubuntu-upgrade-linux-image-6-11-0-1012-lowlatency
ubuntu-upgrade-linux-image-6-11-0-1012-lowlatency-64k
ubuntu-upgrade-linux-image-6-11-0-1013-azure
ubuntu-upgrade-linux-image-6-11-0-1013-azure-fde
ubuntu-upgrade-linux-image-6-11-0-1013-gcp
ubuntu-upgrade-linux-image-6-11-0-1013-gcp-64k
ubuntu-upgrade-linux-image-6-11-0-1014-oracle
ubuntu-upgrade-linux-image-6-11-0-1014-oracle-64k
ubuntu-upgrade-linux-image-6-11-0-1020-oem
ubuntu-upgrade-linux-image-6-11-0-24-generic
ubuntu-upgrade-linux-image-6-11-0-24-generic-64k
ubuntu-upgrade-linux-image-6-8-0-1010-gkeop
ubuntu-upgrade-linux-image-6-8-0-1014-azure-nvidia
ubuntu-upgrade-linux-image-6-8-0-1023-gke
ubuntu-upgrade-linux-image-6-8-0-1024-ibm
ubuntu-upgrade-linux-image-6-8-0-1024-oracle
ubuntu-upgrade-linux-image-6-8-0-1024-oracle-64k
ubuntu-upgrade-linux-image-6-8-0-1026-nvidia
ubuntu-upgrade-linux-image-6-8-0-1026-nvidia-64k
ubuntu-upgrade-linux-image-6-8-0-1026-nvidia-lowlatency
ubuntu-upgrade-linux-image-6-8-0-1026-nvidia-lowlatency-64k
ubuntu-upgrade-linux-image-6-8-0-1026-oem
ubuntu-upgrade-linux-image-6-8-0-1027-aws
ubuntu-upgrade-linux-image-6-8-0-1027-azure
ubuntu-upgrade-linux-image-6-8-0-1027-azure-fde
ubuntu-upgrade-linux-image-6-8-0-1028-gcp
ubuntu-upgrade-linux-image-6-8-0-1028-gcp-64k
ubuntu-upgrade-linux-image-6-8-0-1028-raspi
ubuntu-upgrade-linux-image-6-8-0-2023-raspi-realtime
ubuntu-upgrade-linux-image-6-8-0-58-generic
ubuntu-upgrade-linux-image-6-8-0-58-generic-64k
ubuntu-upgrade-linux-image-6-8-0-58-lowlatency
ubuntu-upgrade-linux-image-6-8-0-58-lowlatency-64k
ubuntu-upgrade-linux-image-6-8-1-1020-realtime
ubuntu-upgrade-linux-image-aws
ubuntu-upgrade-linux-image-aws-fips
ubuntu-upgrade-linux-image-aws-hwe
ubuntu-upgrade-linux-image-aws-lts-18-04
ubuntu-upgrade-linux-image-aws-lts-20-04
ubuntu-upgrade-linux-image-aws-lts-22-04
ubuntu-upgrade-linux-image-aws-lts-24-04
ubuntu-upgrade-linux-image-azure
ubuntu-upgrade-linux-image-azure-cvm
ubuntu-upgrade-linux-image-azure-fde
ubuntu-upgrade-linux-image-azure-fde-lts-22-04
ubuntu-upgrade-linux-image-azure-fde-lts-24-04
ubuntu-upgrade-linux-image-azure-fips
ubuntu-upgrade-linux-image-azure-lts-18-04
ubuntu-upgrade-linux-image-azure-lts-20-04
ubuntu-upgrade-linux-image-azure-lts-22-04
ubuntu-upgrade-linux-image-azure-lts-24-04
ubuntu-upgrade-linux-image-azure-nvidia
ubuntu-upgrade-linux-image-bluefield
ubuntu-upgrade-linux-image-fips
ubuntu-upgrade-linux-image-gcp
ubuntu-upgrade-linux-image-gcp-64k
ubuntu-upgrade-linux-image-gcp-64k-lts-24-04
ubuntu-upgrade-linux-image-gcp-fips
ubuntu-upgrade-linux-image-gcp-lts-18-04
ubuntu-upgrade-linux-image-gcp-lts-20-04
ubuntu-upgrade-linux-image-gcp-lts-22-04
ubuntu-upgrade-linux-image-gcp-lts-24-04
ubuntu-upgrade-linux-image-generic
ubuntu-upgrade-linux-image-generic-64k
ubuntu-upgrade-linux-image-generic-64k-hwe-20-04
ubuntu-upgrade-linux-image-generic-64k-hwe-22-04
ubuntu-upgrade-linux-image-generic-64k-hwe-24-04
ubuntu-upgrade-linux-image-generic-hwe-16-04
ubuntu-upgrade-linux-image-generic-hwe-18-04
ubuntu-upgrade-linux-image-generic-hwe-20-04
ubuntu-upgrade-linux-image-generic-hwe-22-04
ubuntu-upgrade-linux-image-generic-hwe-24-04
ubuntu-upgrade-linux-image-generic-lpae
ubuntu-upgrade-linux-image-generic-lpae-hwe-20-04
ubuntu-upgrade-linux-image-generic-lts-xenial
ubuntu-upgrade-linux-image-gke
ubuntu-upgrade-linux-image-gke-5-15
ubuntu-upgrade-linux-image-gkeop
ubuntu-upgrade-linux-image-gkeop-5-15
ubuntu-upgrade-linux-image-gkeop-6-8
ubuntu-upgrade-linux-image-ibm
ubuntu-upgrade-linux-image-ibm-classic
ubuntu-upgrade-linux-image-ibm-lts-20-04
ubuntu-upgrade-linux-image-ibm-lts-24-04
ubuntu-upgrade-linux-image-intel
ubuntu-upgrade-linux-image-intel-iot-realtime
ubuntu-upgrade-linux-image-intel-iotg
ubuntu-upgrade-linux-image-kvm
ubuntu-upgrade-linux-image-lowlatency
ubuntu-upgrade-linux-image-lowlatency-64k
ubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04
ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04
ubuntu-upgrade-linux-image-lowlatency-64k-hwe-24-04
ubuntu-upgrade-linux-image-lowlatency-hwe-16-04
ubuntu-upgrade-linux-image-lowlatency-hwe-18-04
ubuntu-upgrade-linux-image-lowlatency-hwe-20-04
ubuntu-upgrade-linux-image-lowlatency-hwe-22-04
ubuntu-upgrade-linux-image-lowlatency-hwe-24-04
ubuntu-upgrade-linux-image-lowlatency-lts-xenial
ubuntu-upgrade-linux-image-nvidia
ubuntu-upgrade-linux-image-nvidia-6-8
ubuntu-upgrade-linux-image-nvidia-64k
ubuntu-upgrade-linux-image-nvidia-64k-6-8
ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04
ubuntu-upgrade-linux-image-nvidia-hwe-22-04
ubuntu-upgrade-linux-image-nvidia-lowlatency
ubuntu-upgrade-linux-image-nvidia-lowlatency-64k
ubuntu-upgrade-linux-image-nvidia-tegra
ubuntu-upgrade-linux-image-nvidia-tegra-igx
ubuntu-upgrade-linux-image-nvidia-tegra-igx-rt
ubuntu-upgrade-linux-image-nvidia-tegra-rt
ubuntu-upgrade-linux-image-oem
ubuntu-upgrade-linux-image-oem-20-04
ubuntu-upgrade-linux-image-oem-20-04b
ubuntu-upgrade-linux-image-oem-20-04c
ubuntu-upgrade-linux-image-oem-20-04d
ubuntu-upgrade-linux-image-oem-22-04
ubuntu-upgrade-linux-image-oem-22-04a
ubuntu-upgrade-linux-image-oem-22-04b
ubuntu-upgrade-linux-image-oem-22-04c
ubuntu-upgrade-linux-image-oem-22-04d
ubuntu-upgrade-linux-image-oem-24-04
ubuntu-upgrade-linux-image-oem-24-04a
ubuntu-upgrade-linux-image-oem-24-04b
ubuntu-upgrade-linux-image-oem-osp1
ubuntu-upgrade-linux-image-oracle
ubuntu-upgrade-linux-image-oracle-64k
ubuntu-upgrade-linux-image-oracle-64k-lts-24-04
ubuntu-upgrade-linux-image-oracle-lts-18-04
ubuntu-upgrade-linux-image-oracle-lts-20-04
ubuntu-upgrade-linux-image-oracle-lts-22-04
ubuntu-upgrade-linux-image-oracle-lts-24-04
ubuntu-upgrade-linux-image-raspi
ubuntu-upgrade-linux-image-raspi-hwe-18-04
ubuntu-upgrade-linux-image-raspi-nolpae
ubuntu-upgrade-linux-image-raspi-realtime
ubuntu-upgrade-linux-image-raspi2
ubuntu-upgrade-linux-image-realtime
ubuntu-upgrade-linux-image-realtime-hwe-24-04
ubuntu-upgrade-linux-image-snapdragon-hwe-18-04
ubuntu-upgrade-linux-image-virtual
ubuntu-upgrade-linux-image-virtual-hwe-16-04
ubuntu-upgrade-linux-image-virtual-hwe-18-04
ubuntu-upgrade-linux-image-virtual-hwe-20-04
ubuntu-upgrade-linux-image-virtual-hwe-22-04
ubuntu-upgrade-linux-image-virtual-hwe-24-04
ubuntu-upgrade-linux-image-virtual-lts-xenial
ubuntu-upgrade-linux-image-xilinx-zynqmp

References

https://attackerkb.com/topics/cve-2025-21700
CVE - 2025-21700
USN-7428-1
USN-7428-2
USN-7429-1
USN-7429-2
USN-7445-1
USN-7448-1
USN-7449-1
USN-7449-2
USN-7450-1
USN-7451-1
USN-7452-1
USN-7453-1
USN-7455-1
USN-7455-2
USN-7455-3
USN-7455-4
USN-7455-5
USN-7459-1
USN-7459-2
USN-7460-1
USN-7461-1
USN-7461-2
USN-7461-3
USN-7462-1
USN-7462-2
USN-7463-1
USN-7468-1
USN-7475-1
USN-7523-1
USN-7524-1
USN-7539-1
USN-7540-1
https://git.kernel.org/stable/c/46c59ec33ec98aba20c15117630cae43a01404cc
https://git.kernel.org/stable/c/73c7e1d6898ccbeee126194dcc05f58b8a795e70
https://git.kernel.org/stable/c/7e2bd8c13b07e29a247c023c7444df23f9a79fd8
https://git.kernel.org/stable/c/bc50835e83f60f56e9bec2b392fb5544f250fb6f
https://ubuntu.com/security/notices/USN-7428-1
https://ubuntu.com/security/notices/USN-7428-2
https://ubuntu.com/security/notices/USN-7429-1
https://ubuntu.com/security/notices/USN-7429-2
https://www.cve.org/CVERecord?id=CVE-2025-21700

Advanced vulnerability management analytics and reporting.

Key Features

Lightweight Endpoint Agent
Live Dashboards
Real Risk Prioritization
IT-Integrated Remediation Projects
Cloud, Virtual, and Container Assessment
Integrated Threat Feeds
Easy-to-Use RESTful API
Automation-Assisted Patching
Automated Containment

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;

VULNERABILITY

Ubuntu: (Multiple Advisories) (CVE-2025-21700): Linux kernel vulnerabilities

Ubuntu: (Multiple Advisories) (CVE-2025-21700): Linux kernel vulnerabilities

Description

Solution(s)

References

Submit your information and we will get in touch with you.

Thank you for contacting us.

We will be in touch shortly.