CVE-2025-21813 Affecting kernel-uek-modules-extra-netfilter package, versions <0:6.12.0-101.33.4.3.el9uek
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-ORACLE9-KERNELUEKMODULESEXTRANETFILTER-10790488
- published19 Jul 2025
- disclosed27 Feb 2025
Introduced: 27 Feb 2025
CVE-2025-21813 (opens in a new tab)How to fix?
Upgrade Oracle:9 kernel-uek-modules-extra-netfilter to version 0:6.12.0-101.33.4.3.el9uek or higher.
This issue was patched in ELSA-2025-20480.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-uek-modules-extra-netfilter package and not the kernel-uek-modules-extra-netfilter package as distributed by Oracle.
See How to fix? for Oracle:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
timers/migration: Fix off-by-one root mis-connection
Before attaching a new root to the old root, the children counter of the new root is checked to verify that only the upcoming CPU's top group have been connected to it. However since the recently added commit b729cc1ec21a ("timers/migration: Fix another race between hotplug and idle entry/exit") this check is not valid anymore because the old root is pre-accounted as a child to the new root. Therefore after connecting the upcoming CPU's top group to the new root, the children count to be expected must be 2 and not 1 anymore.
This omission results in the old root to not be connected to the new root. Then eventually the system may run with more than one top level, which defeats the purpose of a single idle migrator.
Also the old root is pre-accounted but not connected upon the new root creation. But it can be connected to the new root later on. Therefore the old root may be accounted twice to the new root. The propagation of such overcommit can end up creating a double final top-level root with a groupmask incorrectly initialized. Although harmless given that the final top level roots will never have a parent to walk up to, this oddity opportunistically reported the core issue:
WARNING: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote CPU: 8 UID: 0 PID: 0 Comm: swapper/8 RIP: 0010:tmigr_requires_handle_remote Call Trace: <IRQ> ? tmigr_requires_handle_remote ? hrtimer_run_queues update_process_times tick_periodic tick_handle_periodic __sysvec_apic_timer_interrupt sysvec_apic_timer_interrupt </IRQ>
Fix the problem by taking the old root into account in the children count of the new root so the connection is not omitted.
Also warn when more than one top level group exists to better detect similar issues in the future.
References
- https://linux.oracle.com/cve/CVE-2025-21813.html
- https://linux.oracle.com/errata/ELSA-2025-20480.html
- https://git.kernel.org/stable/c/6f449d8fa1808a7f9ee644866bbc079285dbefdd
- https://git.kernel.org/stable/c/868c9037df626b3c245ee26a290a03ae1f9f58d3
- https://git.kernel.org/stable/c/c6dd70e5b465a2b77c7a7c3d868736d302e29aec