{"uuid": "071c6be2-527e-4bcb-9cc4-9adfda999802", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-21692", "type": "seen", "source": "https://t.me/cvedetector/17571", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2025-21692 - Linux Kernel: Qdisc ETS Class Array Index Out-of-Bounds Vulnerability\", \n \"Content\": \"CVE ID : CVE-2025-21692 \nPublished : Feb. 10, 2025, 4:15 p.m. | 1\u00a0hour, 27\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nnet: sched: fix ets qdisc OOB Indexing \n \nHaowei Yan found that ets_class_from_arg() can \nindex an Out-Of-Bound class in ets_class_from_arg() when passed clid of \n0. The overflow may cause local privilege escalation. \n \n [ 18.852298] ------------[ cut here ]------------ \n [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 \n [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' \n [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 \n [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 \n [ 18.856532] Call Trace: \n [ 18.857441] \n [ 18.858227] dump_stack_lvl+0xc2/0xf0 \n [ 18.859607] dump_stack+0x10/0x20 \n [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 \n [ 18.864022] ets_class_change+0x3d6/0x3f0 \n [ 18.864322] tc_ctl_tclass+0x251/0x910 \n [ 18.864587] ? lock_acquire+0x5e/0x140 \n [ 18.865113] ? __mutex_lock+0x9c/0xe70 \n [ 18.866009] ? __mutex_lock+0xa34/0xe70 \n [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 \n [ 18.866806] ? __lock_acquire+0x578/0xc10 \n [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 \n [ 18.867503] netlink_rcv_skb+0x59/0x110 \n [ 18.867776] rtnetlink_rcv+0x15/0x30 \n [ 18.868159] netlink_unicast+0x1c3/0x2b0 \n [ 18.868440] netlink_sendmsg+0x239/0x4b0 \n [ 18.868721] ____sys_sendmsg+0x3e2/0x410 \n [ 18.869012] ___sys_sendmsg+0x88/0xe0 \n [ 18.869276] ? rseq_ip_fixup+0x198/0x260 \n [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 \n [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 \n [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 \n [ 18.870547] ? do_syscall_64+0x93/0x150 \n [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 \n [ 18.871157] __sys_sendmsg+0x69/0xd0 \n [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 \n [ 18.871699] x64_sys_call+0x9e2/0x2670 \n [ 18.871979] do_syscall_64+0x87/0x150 \n [ 18.873280] ? do_syscall_64+0x93/0x150 \n [ 18.874742] ? lock_release+0x7b/0x160 \n [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 \n [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 \n [ 18.879608] ? irqentry_exit+0x77/0xb0 \n [ 18.879808] ? clear_bhb_loop+0x15/0x70 \n [ 18.880023] ? clear_bhb_loop+0x15/0x70 \n [ 18.880223] ? clear_bhb_loop+0x15/0x70 \n [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e \n [ 18.880683] RIP: 0033:0x44a957 \n [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <483d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 \n [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e \n [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 \n [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 \n [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 \n [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 \n [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 \n [ 18.888395] \n [ 18.888610] ---[ end trace ]--- \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"10 Feb 2025\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-10T18:45:46.000000Z"}