Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2025-21823

Disclosure Date: February 27, 2025
CVE-2025-21823
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: Drop unmanaged ELP metric worker

The ELP worker needs to calculate new metric values for all neighbors
“reachable” over an interface. Some of the used metric sources require
locks which might need to sleep. This sleep is incompatible with the RCU
list iterator used for the recorded neighbors. The initial approach to work
around of this problem was to queue another work item per neighbor and then
run this in a new context.

Even when this solved the RCU vs might_sleep() conflict, it has a major
problems: Nothing was stopping the work item in case it is not needed
anymore – for example because one of the related interfaces was removed or
the batman-adv module was unloaded – resulting in potential invalid memory
accesses.

Directly canceling the metric worker also has various problems:

  • cancel_work_sync for a to-be-deactivated interface is called with
    rtnl_lock held. But the code in the ELP metric worker also tries to use
    rtnl_lock() – which will never return in this case. This also means that
    cancel_work_sync would never return because it is waiting for the worker
    to finish.
  • iterating over the neighbor list for the to-be-deactivated interface is
    currently done using the RCU specific methods. Which means that it is
    possible to miss items when iterating over it without the associated
    spinlock – a behaviour which is acceptable for a periodic metric check
    but not for a cleanup routine (which must “stop” all still running
    workers)

The better approch is to get rid of the per interface neighbor metric
worker and handle everything in the interface worker. The original problems
are solved by:

  • creating a list of neighbors which require new metric information inside
    the RCU protected context, gathering the metric according to the new list
    outside the RCU protected context
  • only use rcu_trylock inside metric gathering code to avoid a deadlock
    when the cancel_delayed_work_sync is called in the interface removal code
    (which is called with the rtnl_lock held)

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Linux 781a06fd265a8151f7601122d9c2e985663828ff
Linux not down converted
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

Products

Technical Analysis