CVE-2025-21813

{"id": "CVE-2025-21813", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-27T20:16:03.883", "references": [{"url": "https://git.kernel.org/stable/c/6f449d8fa1808a7f9ee644866bbc079285dbefdd", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/868c9037df626b3c245ee26a290a03ae1f9f58d3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c6dd70e5b465a2b77c7a7c3d868736d302e29aec", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-193"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntimers/migration: Fix off-by-one root mis-connection\n\nBefore attaching a new root to the old root, the children counter of the\nnew root is checked to verify that only the upcoming CPU's top group have\nbeen connected to it. However since the recently added commit b729cc1ec21a\n(\"timers/migration: Fix another race between hotplug and idle entry/exit\")\nthis check is not valid anymore because the old root is pre-accounted\nas a child to the new root. Therefore after connecting the upcoming\nCPU's top group to the new root, the children count to be expected must\nbe 2 and not 1 anymore.\n\nThis omission results in the old root to not be connected to the new\nroot. Then eventually the system may run with more than one top level,\nwhich defeats the purpose of a single idle migrator.\n\nAlso the old root is pre-accounted but not connected upon the new root\ncreation. But it can be connected to the new root later on. Therefore\nthe old root may be accounted twice to the new root. The propagation of\nsuch overcommit can end up creating a double final top-level root with a\ngroupmask incorrectly initialized. Although harmless given that the final\ntop level roots will never have a parent to walk up to, this oddity\nopportunistically reported the core issue:\n\n WARNING: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote\n CPU: 8 UID: 0 PID: 0 Comm: swapper/8\n RIP: 0010:tmigr_requires_handle_remote\n Call Trace:\n <IRQ>\n ? tmigr_requires_handle_remote\n ? hrtimer_run_queues\n update_process_times\n tick_periodic\n tick_handle_periodic\n __sysvec_apic_timer_interrupt\n sysvec_apic_timer_interrupt\n </IRQ>\n\nFix the problem by taking the old root into account in the children count\nof the new root so the connection is not omitted.\n\nAlso warn when more than one top level group exists to better detect\nsimilar issues in the future."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: timers/migration: Fix another race between hotplug and idle entry/exit (temporizadores/migraci\u00f3n: Arreglar otra ejecuci\u00f3n entre hotplug y entrada/salida inactiva) Antes de adjuntar una nueva ra\u00edz a la ra\u00edz anterior, se comprueba el contador de hijos de la nueva ra\u00edz para verificar que solo el grupo superior de la pr\u00f3xima CPU se haya conectado a ella. Sin embargo, desde el commit b729cc1ec21a agregada recientemente (\"timers/migration: Fix another race between hotplug and idle entry/exit\"), esta comprobaci\u00f3n ya no es v\u00e1lida porque la ra\u00edz anterior se contabiliza previamente como un hijo de la nueva ra\u00edz. Por lo tanto, despu\u00e9s de conectar el grupo superior de la pr\u00f3xima CPU a la nueva ra\u00edz, el recuento de hijos que se espera debe ser 2 y no 1. Esta omisi\u00f3n da como resultado que la ra\u00edz anterior no se conecte a la nueva ra\u00edz. Luego, eventualmente, el sistema puede ejecutarse con m\u00e1s de un nivel superior, lo que frustra el prop\u00f3sito de un solo migrador inactivo. Adem\u00e1s, la ra\u00edz anterior se contabiliza previamente pero no se conecta al momento de la creaci\u00f3n de la nueva ra\u00edz. Pero se puede conectar a la nueva ra\u00edz m\u00e1s adelante. Por lo tanto, la ra\u00edz antigua puede contabilizarse dos veces para la nueva ra\u00edz. La propagaci\u00f3n de dicha sobreasignaci\u00f3n puede terminar creando una ra\u00edz de nivel superior final doble con una m\u00e1scara de grupo inicializada incorrectamente. Aunque es inofensiva dado que las ra\u00edces de nivel superior finales nunca tendr\u00e1n un padre al que llegar, esta rareza inform\u00f3 oportunistamente el problema principal: ADVERTENCIA: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote CPU: 8 UID: 0 PID: 0 Comm: swapper/8 RIP: 0010:tmigr_requires_handle_remote Call Trace: ? tmigr_requires_handle_remote ? hrtimer_run_queues update_process_times tick_periodic tick_handle_periodic __sysvec_apic_timer_interrupt sysvec_apic_timer_interrupt Solucione el problema teniendo en cuenta la ra\u00edz antigua en el recuento de hijos de la nueva ra\u00edz para que no se omita la conexi\u00f3n. Tambi\u00e9n advierta cuando exista m\u00e1s de un grupo de nivel superior para detectar mejor problemas similares en el futuro."}], "lastModified": "2025-10-28T02:54:59.480", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "025396BC-7DE1-42A8-B0FD-73C6932699C8", "versionEndExcluding": "6.12.14", "versionStartIncluding": "6.12.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F2280A3-25EA-474E-A52E-C24AE65A2B00", "versionEndExcluding": "6.13.3", "versionStartIncluding": "6.13.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A3F9505-6B98-4269-8B81-127E55A1BF00"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}