Use After Free Affecting kernel-debug-modules-core package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS9-KERNELDEBUGMODULESCORE-9446964
- published15 Mar 2025
- disclosed12 Mar 2025
Introduced: 12 Mar 2025
NewCVE-2025-21855 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
There is no fixed version for Centos:9 kernel-debug-modules-core.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-debug-modules-core package and not the kernel-debug-modules-core package as distributed by Centos.
See How to fix? for Centos:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: Don't reference skb after sending to VIOS
Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb.
It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free:
BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224
References
- https://access.redhat.com/security/cve/CVE-2025-21855
- https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597
- https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9
- https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306
- https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09
- https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9
CVSS Base Scores
version 3.1