CVE-2025-21853

In the Linux kernel, the following vulnerability has been resolved: bpf: avoid holding freeze_mutex during mmap operation We use map->freeze_mutex to prevent races between map_freeze() and memory mapping BPF map contents with writable permissions. The way we naively do this means we'll hold freeze_mutex for entire duration of all the mm and VMA manipulations, which is completely unnecessary. This can potentially also lead to deadlocks, as reported by syzbot in [0]. So, instead, hold freeze_mutex only during writeability checks, bump (proactively) "write active" count for the map, unlock the mutex and proceed with mmap logic. And only if something went wrong during mmap logic, then undo that "write active" counter increment. [0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0d90d9e154144a3a80e9fc0eb9b21b7fc990f68f
https://git.kernel.org/stable/c/271e49f8a58edba65bc2b1250a0abaa98c4bfdbe	Patch
https://git.kernel.org/stable/c/29cfda62ab4d92ab94123813db49ab76c1e61b29	Patch
https://git.kernel.org/stable/c/2ce31c97c219b4fe797749f950274f246eb88c49
https://git.kernel.org/stable/c/4759acbd44d24a69b7b14848012ec4201d6c5501
https://git.kernel.org/stable/c/bc27c52eea189e8f7492d40739b7746d67b65beb	Patch
https://git.kernel.org/stable/c/d95607a5f2f9bb08194c9deaf4a5f3e8ba59a9d4	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc3::::::

History

02 May 2025, 07:15

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/0d90d9e154144a3a80e9fc0eb9b21b7fc990f68f - () https://git.kernel.org/stable/c/2ce31c97c219b4fe797749f950274f246eb88c49 -

25 Apr 2025, 11:15

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/4759acbd44d24a69b7b14848012ec4201d6c5501 -

13 Mar 2025, 16:30

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/271e49f8a58edba65bc2b1250a0abaa98c4bfdbe -~~	() https://git.kernel.org/stable/c/271e49f8a58edba65bc2b1250a0abaa98c4bfdbe - Patch
References	~~() https://git.kernel.org/stable/c/29cfda62ab4d92ab94123813db49ab76c1e61b29 -~~	() https://git.kernel.org/stable/c/29cfda62ab4d92ab94123813db49ab76c1e61b29 - Patch
References	~~() https://git.kernel.org/stable/c/bc27c52eea189e8f7492d40739b7746d67b65beb -~~	() https://git.kernel.org/stable/c/bc27c52eea189e8f7492d40739b7746d67b65beb - Patch
References	~~() https://git.kernel.org/stable/c/d95607a5f2f9bb08194c9deaf4a5f3e8ba59a9d4 -~~	() https://git.kernel.org/stable/c/d95607a5f2f9bb08194c9deaf4a5f3e8ba59a9d4 - Patch
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
First Time		Linux Linux linux Kernel
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: evitar mantener freeze_mutex durante la operación mmap. Usamos map->freeze_mutex para evitar ejecuciones entre map_freeze() y el mapeo de memoria del contenido del mapa BPF con permisos de escritura. Esta forma ingenua de hacerlo implica mantener freeze_mutex durante todas las manipulaciones mm y VMA, lo cual es completamente innecesario. Esto también puede provocar interbloqueos, como informa syzbot en [0]. Por lo tanto, se mantiene freeze_mutex solo durante las comprobaciones de escritura, se aumenta (proactivamente) el contador de "escritura activa" del mapa, se desbloquea el mutex y se continúa con la lógica mmap. Solo si algo falla durante la lógica mmap, se deshace el incremento del contador de "escritura activa". [0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/
CPE		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.14:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.14:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.14:rc2::::::

12 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-12 10:15

Updated : 2025-05-02 07:15

NVD link : CVE-2025-21853

Mitre link : CVE-2025-21853

CVE.ORG link : CVE-2025-21853

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

{"id": "CVE-2025-21853", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-03-12T10:15:18.063", "references": [{"url": "https://git.kernel.org/stable/c/0d90d9e154144a3a80e9fc0eb9b21b7fc990f68f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/271e49f8a58edba65bc2b1250a0abaa98c4bfdbe", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/29cfda62ab4d92ab94123813db49ab76c1e61b29", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2ce31c97c219b4fe797749f950274f246eb88c49", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4759acbd44d24a69b7b14848012ec4201d6c5501", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bc27c52eea189e8f7492d40739b7746d67b65beb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d95607a5f2f9bb08194c9deaf4a5f3e8ba59a9d4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: avoid holding freeze_mutex during mmap operation\n\nWe use map->freeze_mutex to prevent races between map_freeze() and\nmemory mapping BPF map contents with writable permissions. The way we\nnaively do this means we'll hold freeze_mutex for entire duration of all\nthe mm and VMA manipulations, which is completely unnecessary. This can\npotentially also lead to deadlocks, as reported by syzbot in [0].\n\nSo, instead, hold freeze_mutex only during writeability checks, bump\n(proactively) \"write active\" count for the map, unlock the mutex and\nproceed with mmap logic. And only if something went wrong during mmap\nlogic, then undo that \"write active\" counter increment.\n\n [0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: evitar mantener freeze_mutex durante la operaci\u00f3n mmap. Usamos map->freeze_mutex para evitar ejecuciones entre map_freeze() y el mapeo de memoria del contenido del mapa BPF con permisos de escritura. Esta forma ingenua de hacerlo implica mantener freeze_mutex durante todas las manipulaciones mm y VMA, lo cual es completamente innecesario. Esto tambi\u00e9n puede provocar interbloqueos, como informa syzbot en [0]. Por lo tanto, se mantiene freeze_mutex solo durante las comprobaciones de escritura, se aumenta (proactivamente) el contador de \"escritura activa\" del mapa, se desbloquea el mutex y se contin\u00faa con la l\u00f3gica mmap. Solo si algo falla durante la l\u00f3gica mmap, se deshace el incremento del contador de \"escritura activa\". [0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/"}], "lastModified": "2025-05-02T07:15:58.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "48071216-A653-44DB-BA74-A5022DF1BE48", "versionEndExcluding": "6.6.80", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15370AEE-6D1C-49C3-8CB7-E889D5F92B6F", "versionEndExcluding": "6.12.17", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "72E69ABB-9015-43A6-87E1-5150383CFFD9", "versionEndExcluding": "6.13.5", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}

5.5 /10