CVE-2025-21635

Summary

In the Linux kernel, the following vulnerability has been resolved:

rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy

As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons:

  • Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns.

  • current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2).

The per-netns structure can be obtained from the table->data using container_of(), then the 'net' one can be retrieved from the listen socket (if available).

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxc6a58ffed53612be86b758df1cdb0b0f4305e9cb < de8d6de0ee27be4b2b1e5b06f04aeacbabbba492affected
LinuxLinuxc6a58ffed53612be86b758df1cdb0b0f4305e9cb < 7f5611cbc4871c7fb1ad36c2e5a9edad63dca95caffected
LinuxLinux4.6affected
LinuxLinux0 < 4.6unaffected
LinuxLinux6.12.10 <= 6.12.*unaffected
LinuxLinux6.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References