CVE-2025-21865 (GCVE-0-2025-21865)

Vulnerability from cvelistv5 – Published: 2025-03-12 09:42 – Updated: 2026-05-23 15:57
VLAI
Title
gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().
Summary
In the Linux kernel, the following vulnerability has been resolved: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Brad Spengler reported the list_del() corruption splat in gtp_net_exit_batch_rtnl(). [0] Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl() to destroy devices in each netns as done in geneve and ip tunnels. However, this could trigger ->dellink() twice for the same device during ->exit_batch_rtnl(). Say we have two netns A & B and gtp device B that resides in netns B but whose UDP socket is in netns A. 1. cleanup_net() processes netns A and then B. 2. gtp_net_exit_batch_rtnl() finds the device B while iterating netns A's gn->gtp_dev_list and calls ->dellink(). [ device B is not yet unlinked from netns B as unregister_netdevice_many() has not been called. ] 3. gtp_net_exit_batch_rtnl() finds the device B while iterating netns B's for_each_netdev() and calls ->dellink(). gtp_dellink() cleans up the device's hash table, unlinks the dev from gn->gtp_dev_list, and calls unregister_netdevice_queue(). Basically, calling gtp_dellink() multiple times is fine unless CONFIG_DEBUG_LIST is enabled. Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and delegate the destruction to default_device_exit_batch() as done in bareudp. [0]: list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04) kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60 RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283 RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054 RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000 RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32 R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4 R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08 RBX: kasan shadow of 0x0 RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554 RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71 RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object] RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ] R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ] R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ] R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object] FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0 Stack: 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00 ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d Call Trace: <TASK> [<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl ---truncated---
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: c986380c1d5274c4d5e935addc807d6791cc23eb , < 7f86fb07db65a470d0c11f79da551bd9466357dc (git)
Affected: 5f1678346109ff3a6d229d33437fcba3cce9209d , < 33eb925c0c26e86ca540a08254806512bf911f22 (git)
Affected: 036f8d814a2cd11ee8ef62b8f3e7ce5dec0ee4f3 , < cb15bb1bde0ba97cbbed9508e45210dcafec3657 (git)
Affected: efec287cbac92ac6ee8312a89221854760e13b34 , < b70fa591b066d52b141fc430ffdee35b6cc87a66 (git)
Affected: bb11f992f5a475bc68ef959f17a55306f0328495 , < 9d03e7e37187ae140e716377599493987fb20c5b (git)
Affected: 86f73d4ab2f27deeff22ba9336ad103d94f12ac7 , < ff81b14010362f6188ca26fec22ff05e4da45595 (git)
Affected: eb28fd76c0a08a47b470677c6cef9dd1c60e92d1 , < 37e7644b961600ef0beb01d3970c3034a62913af (git)
Affected: eb28fd76c0a08a47b470677c6cef9dd1c60e92d1 , < 4ccacf86491d33d2486b62d4d44864d7101b299d (git)
Affected: 5.4.290 , < 5.4.291 (semver)
Affected: 5.10.234 , < 5.10.235 (semver)
Affected: 5.15.177 , < 5.15.179 (semver)
Affected: 6.1.127 , < 6.1.130 (semver)
Affected: 6.6.74 , < 6.6.80 (semver)
Affected: 6.12.11 , < 6.12.17 (semver)
Create a notification for this product.
Linux Linux Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.80 , ≤ 6.6.* (semver)
Unaffected: 6.12.17 , ≤ 6.12.* (semver)
Unaffected: 6.13.5 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP Affected: V3.1.5 , < * (custom)
Create a notification for this product.
Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP Affected: V3.1.5 , < * (custom)
Create a notification for this product.
Siemens SIMATIC S7-1500 TM MFP - GNU/Linux subsystem Affected: 0 , < * (custom)
Create a notification for this product.
Siemens SIPLUS S7-1500 CPU 1518-4 PN/DP MFP Affected: V3.1.5 , < * (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21865",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:25:29.794279Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:37.011Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:21.987Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:13:17.362Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/gtp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7f86fb07db65a470d0c11f79da551bd9466357dc",
              "status": "affected",
              "version": "c986380c1d5274c4d5e935addc807d6791cc23eb",
              "versionType": "git"
            },
            {
              "lessThan": "33eb925c0c26e86ca540a08254806512bf911f22",
              "status": "affected",
              "version": "5f1678346109ff3a6d229d33437fcba3cce9209d",
              "versionType": "git"
            },
            {
              "lessThan": "cb15bb1bde0ba97cbbed9508e45210dcafec3657",
              "status": "affected",
              "version": "036f8d814a2cd11ee8ef62b8f3e7ce5dec0ee4f3",
              "versionType": "git"
            },
            {
              "lessThan": "b70fa591b066d52b141fc430ffdee35b6cc87a66",
              "status": "affected",
              "version": "efec287cbac92ac6ee8312a89221854760e13b34",
              "versionType": "git"
            },
            {
              "lessThan": "9d03e7e37187ae140e716377599493987fb20c5b",
              "status": "affected",
              "version": "bb11f992f5a475bc68ef959f17a55306f0328495",
              "versionType": "git"
            },
            {
              "lessThan": "ff81b14010362f6188ca26fec22ff05e4da45595",
              "status": "affected",
              "version": "86f73d4ab2f27deeff22ba9336ad103d94f12ac7",
              "versionType": "git"
            },
            {
              "lessThan": "37e7644b961600ef0beb01d3970c3034a62913af",
              "status": "affected",
              "version": "eb28fd76c0a08a47b470677c6cef9dd1c60e92d1",
              "versionType": "git"
            },
            {
              "lessThan": "4ccacf86491d33d2486b62d4d44864d7101b299d",
              "status": "affected",
              "version": "eb28fd76c0a08a47b470677c6cef9dd1c60e92d1",
              "versionType": "git"
            },
            {
              "lessThan": "5.4.291",
              "status": "affected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThan": "5.10.235",
              "status": "affected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.179",
              "status": "affected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.130",
              "status": "affected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.80",
              "status": "affected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.17",
              "status": "affected",
              "version": "6.12.11",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/gtp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4.290",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.234",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.177",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "6.1.127",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "6.6.74",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "6.12.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\n\nBrad Spengler reported the list_del() corruption splat in\ngtp_net_exit_batch_rtnl(). [0]\n\nCommit eb28fd76c0a0 (\"gtp: Destroy device along with udp socket\u0027s netns\ndismantle.\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\nto destroy devices in each netns as done in geneve and ip tunnels.\n\nHowever, this could trigger -\u003edellink() twice for the same device during\n-\u003eexit_batch_rtnl().\n\nSay we have two netns A \u0026 B and gtp device B that resides in netns B but\nwhose UDP socket is in netns A.\n\n  1. cleanup_net() processes netns A and then B.\n\n  2. gtp_net_exit_batch_rtnl() finds the device B while iterating\n     netns A\u0027s gn-\u003egtp_dev_list and calls -\u003edellink().\n\n  [ device B is not yet unlinked from netns B\n    as unregister_netdevice_many() has not been called. ]\n\n  3. gtp_net_exit_batch_rtnl() finds the device B while iterating\n     netns B\u0027s for_each_netdev() and calls -\u003edellink().\n\ngtp_dellink() cleans up the device\u0027s hash table, unlinks the dev from\ngn-\u003egtp_dev_list, and calls unregister_netdevice_queue().\n\nBasically, calling gtp_dellink() multiple times is fine unless\nCONFIG_DEBUG_LIST is enabled.\n\nLet\u0027s remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\ndelegate the destruction to default_device_exit_batch() as done\nin bareudp.\n\n[0]:\nlist_del corruption, ffff8880aaa62c00-\u003enext (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G                T   6.12.13-grsec-full-20250211091339 #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:[\u003cffffffff84947381\u003e] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc \u003c0f\u003e 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\nRBX: kasan shadow of 0x0\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\nFS:  0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\nStack:\n 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\n ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\n 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\nCall Trace:\n \u003cTASK\u003e\n [\u003cffffffff8a0c360d\u003e] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\n [\u003cffffffff8a0c360d\u003e] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\n [\u003cffffffff8a0c360d\u003e] list_del include/linux/list.h:262 [inl\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:57:19.306Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7f86fb07db65a470d0c11f79da551bd9466357dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/33eb925c0c26e86ca540a08254806512bf911f22"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb15bb1bde0ba97cbbed9508e45210dcafec3657"
        },
        {
          "url": "https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595"
        },
        {
          "url": "https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d"
        }
      ],
      "title": "gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21865",
    "datePublished": "2025-03-12T09:42:21.901Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2026-05-23T15:57:19.306Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-21865",
      "date": "2026-06-07",
      "epss": "0.00012",
      "percentile": "0.01827"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21865\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-03-12T10:15:19.650\",\"lastModified\":\"2026-05-12T13:16:39.627\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\\n\\nBrad Spengler reported the list_del() corruption splat in\\ngtp_net_exit_batch_rtnl(). [0]\\n\\nCommit eb28fd76c0a0 (\\\"gtp: Destroy device along with udp socket\u0027s netns\\ndismantle.\\\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\\nto destroy devices in each netns as done in geneve and ip tunnels.\\n\\nHowever, this could trigger -\u003edellink() twice for the same device during\\n-\u003eexit_batch_rtnl().\\n\\nSay we have two netns A \u0026 B and gtp device B that resides in netns B but\\nwhose UDP socket is in netns A.\\n\\n  1. cleanup_net() processes netns A and then B.\\n\\n  2. gtp_net_exit_batch_rtnl() finds the device B while iterating\\n     netns A\u0027s gn-\u003egtp_dev_list and calls -\u003edellink().\\n\\n  [ device B is not yet unlinked from netns B\\n    as unregister_netdevice_many() has not been called. ]\\n\\n  3. gtp_net_exit_batch_rtnl() finds the device B while iterating\\n     netns B\u0027s for_each_netdev() and calls -\u003edellink().\\n\\ngtp_dellink() cleans up the device\u0027s hash table, unlinks the dev from\\ngn-\u003egtp_dev_list, and calls unregister_netdevice_queue().\\n\\nBasically, calling gtp_dellink() multiple times is fine unless\\nCONFIG_DEBUG_LIST is enabled.\\n\\nLet\u0027s remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\\ndelegate the destruction to default_device_exit_batch() as done\\nin bareudp.\\n\\n[0]:\\nlist_del corruption, ffff8880aaa62c00-\u003enext (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\\nkernel BUG at lib/list_debug.c:58!\\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G                T   6.12.13-grsec-full-20250211091339 #1\\nTainted: [T]=RANDSTRUCT\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nWorkqueue: netns cleanup_net\\nRIP: 0010:[\u003cffffffff84947381\u003e] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc \u003c0f\u003e 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\\nRBX: kasan shadow of 0x0\\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\\nFS:  0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\\nStack:\\n 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\\n ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\\n 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\\nCall Trace:\\n \u003cTASK\u003e\\n [\u003cffffffff8a0c360d\u003e] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\\n [\u003cffffffff8a0c360d\u003e] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\\n [\u003cffffffff8a0c360d\u003e] list_del include/linux/list.h:262 [inl\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: gtp: Supresi\u00f3n de la corrupci\u00f3n de listas en gtp_net_exit_batch_rtnl(). Brad Spengler report\u00f3 la corrupci\u00f3n de list_del() en gtp_net_exit_batch_rtnl(). [0] El commit eb28fd76c0a0 (\\\"gtp: Destruir dispositivo junto con el desmantelamiento de netns del socket UDP\\\") a\u00f1adi\u00f3 el bucle for_each_netdev() en gtp_net_exit_batch_rtnl() para destruir dispositivos en cada netns, como se hace en los t\u00faneles geneve e IP. Sin embargo, esto podr\u00eda activar -\u0026gt;dellink() dos veces para el mismo dispositivo durante -\u0026gt;exit_batch_rtnl(). Digamos que tenemos dos netns A y B y un dispositivo gtp B que reside en netns B pero cuyo socket UDP est\u00e1 en netns A. 1. cleanup_net() procesa netns A y luego B. 2. gtp_net_exit_batch_rtnl() encuentra el dispositivo B mientras itera gn-\u0026gt;gtp_dev_list de netns A y llama a -\u0026gt;dellink(). [el dispositivo B a\u00fan no est\u00e1 desvinculado de netns B ya que no se ha llamado a unregister_netdevice_many().] 3. gtp_net_exit_batch_rtnl() encuentra el dispositivo B mientras itera for_each_netdev() de netns B y llama a -\u0026gt;dellink(). gtp_dellink() limpia la tabla hash del dispositivo, desvincula el dev de gn-\u0026gt;gtp_dev_list y llama a unregister_netdevice_queue(). B\u00e1sicamente, llamar a gtp_dellink() varias veces no tiene problema a menos que CONFIG_DEBUG_LIST est\u00e9 habilitado. Eliminemos for_each_netdev() en gtp_net_exit_batch_rtnl() y deleguemos la destrucci\u00f3n a default_device_exit_batch() como se hace en bareudp. [0]: corrupci\u00f3n en list_del, ffff8880aaa62c00-\u0026gt;next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04) kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:[] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc \u0026lt;0f\u0026gt; 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60 RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283 RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054 RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000 RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32 R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4 R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08 RBX: kasan shadow of 0x0 RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554 RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71 RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object] RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ] R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ] R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ] R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object] FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0 Stack: 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00 ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d Call Trace:  [] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28 [] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28 [] list_del include/linux/list.h:262 [inl ---truncado---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.127\",\"versionEndExcluding\":\"6.1.130\",\"matchCriteriaId\":\"F5DAF95A-8A69-4B14-B6B1-D69D7B0E67ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.74\",\"versionEndExcluding\":\"6.6.80\",\"matchCriteriaId\":\"8E39A81F-E53D-411A-A984-01020256DBCF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.12.11\",\"versionEndExcluding\":\"6.12.17\",\"matchCriteriaId\":\"A1046E13-7BCA-4984-A2A5-A636C37F89CB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.5\",\"matchCriteriaId\":\"72E69ABB-9015-43A6-87E1-5150383CFFD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.4.290:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"545EEEA7-D108-42AD-A818-71A0944937FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.10.234:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"35D3F462-C339-41FE-9892-249F8F17987E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15.177:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BE9C4B84-1FEC-4D82-AC35-E594761500D0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D3E781C-403A-498F-9DA9-ECEE50F41E75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"66619FB8-0AAF-4166-B2CF-67B24143261D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/33eb925c0c26e86ca540a08254806512bf911f22\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7f86fb07db65a470d0c11f79da551bd9466357dc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cb15bb1bde0ba97cbbed9508e45210dcafec3657\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-082556.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-265688.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T19:38:21.987Z\"}}, {\"affected\": [{\"vendor\": \"Siemens\", \"product\": \"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP\", \"versions\": [{\"status\": \"affected\", \"version\": \"V3.1.5\", \"lessThan\": \"*\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP\", \"versions\": [{\"status\": \"affected\", \"version\": \"V3.1.5\", \"lessThan\": \"*\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP\", \"versions\": [{\"status\": \"affected\", \"version\": \"V3.1.5\", \"lessThan\": \"*\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP\", \"versions\": [{\"status\": \"affected\", \"version\": \"V3.1.5\", \"lessThan\": \"*\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"*\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP\", \"versions\": [{\"status\": \"affected\", \"version\": \"V3.1.5\", \"lessThan\": \"*\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"x_adpType\": \"supplier\", \"references\": [{\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-265688.html\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-082556.html\"}], \"providerMetadata\": {\"orgId\": \"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\", \"shortName\": \"siemens-SADP\", \"dateUpdated\": \"2026-05-12T12:13:17.362Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21865\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-01T19:25:29.794279Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787 Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-01T16:58:44.625Z\"}}], \"cna\": {\"title\": \"gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"c986380c1d5274c4d5e935addc807d6791cc23eb\", \"lessThan\": \"7f86fb07db65a470d0c11f79da551bd9466357dc\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"5f1678346109ff3a6d229d33437fcba3cce9209d\", \"lessThan\": \"33eb925c0c26e86ca540a08254806512bf911f22\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"036f8d814a2cd11ee8ef62b8f3e7ce5dec0ee4f3\", \"lessThan\": \"cb15bb1bde0ba97cbbed9508e45210dcafec3657\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"efec287cbac92ac6ee8312a89221854760e13b34\", \"lessThan\": \"b70fa591b066d52b141fc430ffdee35b6cc87a66\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"bb11f992f5a475bc68ef959f17a55306f0328495\", \"lessThan\": \"9d03e7e37187ae140e716377599493987fb20c5b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"86f73d4ab2f27deeff22ba9336ad103d94f12ac7\", \"lessThan\": \"ff81b14010362f6188ca26fec22ff05e4da45595\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"eb28fd76c0a08a47b470677c6cef9dd1c60e92d1\", \"lessThan\": \"37e7644b961600ef0beb01d3970c3034a62913af\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"eb28fd76c0a08a47b470677c6cef9dd1c60e92d1\", \"lessThan\": \"4ccacf86491d33d2486b62d4d44864d7101b299d\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/gtp.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.13\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.13\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.4.291\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.235\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.179\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.130\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.80\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12.17\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13.5\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.13.*\"}, {\"status\": \"unaffected\", \"version\": \"6.14\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/gtp.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/7f86fb07db65a470d0c11f79da551bd9466357dc\"}, {\"url\": \"https://git.kernel.org/stable/c/33eb925c0c26e86ca540a08254806512bf911f22\"}, {\"url\": \"https://git.kernel.org/stable/c/cb15bb1bde0ba97cbbed9508e45210dcafec3657\"}, {\"url\": \"https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66\"}, {\"url\": \"https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b\"}, {\"url\": \"https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595\"}, {\"url\": \"https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af\"}, {\"url\": \"https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\\n\\nBrad Spengler reported the list_del() corruption splat in\\ngtp_net_exit_batch_rtnl(). [0]\\n\\nCommit eb28fd76c0a0 (\\\"gtp: Destroy device along with udp socket\u0027s netns\\ndismantle.\\\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\\nto destroy devices in each netns as done in geneve and ip tunnels.\\n\\nHowever, this could trigger -\u003edellink() twice for the same device during\\n-\u003eexit_batch_rtnl().\\n\\nSay we have two netns A \u0026 B and gtp device B that resides in netns B but\\nwhose UDP socket is in netns A.\\n\\n  1. cleanup_net() processes netns A and then B.\\n\\n  2. gtp_net_exit_batch_rtnl() finds the device B while iterating\\n     netns A\u0027s gn-\u003egtp_dev_list and calls -\u003edellink().\\n\\n  [ device B is not yet unlinked from netns B\\n    as unregister_netdevice_many() has not been called. ]\\n\\n  3. gtp_net_exit_batch_rtnl() finds the device B while iterating\\n     netns B\u0027s for_each_netdev() and calls -\u003edellink().\\n\\ngtp_dellink() cleans up the device\u0027s hash table, unlinks the dev from\\ngn-\u003egtp_dev_list, and calls unregister_netdevice_queue().\\n\\nBasically, calling gtp_dellink() multiple times is fine unless\\nCONFIG_DEBUG_LIST is enabled.\\n\\nLet\u0027s remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\\ndelegate the destruction to default_device_exit_batch() as done\\nin bareudp.\\n\\n[0]:\\nlist_del corruption, ffff8880aaa62c00-\u003enext (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\\nkernel BUG at lib/list_debug.c:58!\\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G                T   6.12.13-grsec-full-20250211091339 #1\\nTainted: [T]=RANDSTRUCT\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nWorkqueue: netns cleanup_net\\nRIP: 0010:[\u003cffffffff84947381\u003e] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc \u003c0f\u003e 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\\nRBX: kasan shadow of 0x0\\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\\nFS:  0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\\nStack:\\n 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\\n ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\\n 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\\nCall Trace:\\n \u003cTASK\u003e\\n [\u003cffffffff8a0c360d\u003e] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\\n [\u003cffffffff8a0c360d\u003e] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\\n [\u003cffffffff8a0c360d\u003e] list_del include/linux/list.h:262 [inl\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.291\", \"versionStartIncluding\": \"5.4.290\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.235\", \"versionStartIncluding\": \"5.10.234\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.179\", \"versionStartIncluding\": \"5.15.177\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.130\", \"versionStartIncluding\": \"6.1.127\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.80\", \"versionStartIncluding\": \"6.6.74\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.17\", \"versionStartIncluding\": \"6.12.11\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.13.5\", \"versionStartIncluding\": \"6.13\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.14\", \"versionStartIncluding\": \"6.13\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T21:08:00.850Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21865\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-12T12:13:17.362Z\", \"dateReserved\": \"2024-12-29T08:45:45.781Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-03-12T09:42:21.901Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.