VLAN Device Misconfiguration in Linux Kernel Affects Networking Functions
CVE-2025-21920

7.1HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 1 April 2025

Summary

A vulnerability exists within the Linux kernel related to Virtual Local Area Network (VLAN) device initialization. This flaw allows VLAN devices to be improperly created on non-ethernet devices, leading to the potential leakage of sensitive kernel function addresses to user-mode applications. This occurs during the initialization of GARP and MRP applications for the underlying devices, causing out-of-bounds memory access when device address lengths exceed the expected size. The issue is particularly problematic as it can be exploited via specific command sequences, highlighting the necessity for strict device type enforcement during VLAN device creation to maintain kernel integrity.

Affected Version(s)

Linux 22bedad3ce112d5ca1eaf043d4990fa2ed698c87 < 7f1564b2b2072b7aa1ac75350e9560a07c7a44fd

Linux 22bedad3ce112d5ca1eaf043d4990fa2ed698c87

Linux 22bedad3ce112d5ca1eaf043d4990fa2ed698c87 < 0fb7aa04c19eac4417f360a9f7611a60637bdacc

References

https://git.kernel.org/stable/c/7f1564b2b2072b7aa1ac75350...

https://git.kernel.org/stable/c/fa40ebef69234e39ec2d26930...

https://git.kernel.org/stable/c/0fb7aa04c19eac4417f360a9f...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 1, 2025
Vulnerability Reserved
Dec 29, 2024