CVE-2025-21653

Source
https://cve.org/CVERecord?id=CVE-2025-21653
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21653.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21653
Downstream
Related
Published
2025-01-19T10:18:10.354Z
Modified
2026-07-11T03:55:35.617076041Z
Summary
net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute
Details

In the Linux kernel, the following vulnerability has been resolved:

netsched: clsflow: validate TCAFLOWRSHIFT attribute

syzbot found that TCAFLOWRSHIFT attribute was not validated. Right shitfing a 32bit integer is undefined for large shift values.

UBSAN: shift-out-of-bounds in net/sched/clsflow.c:329:23 shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: ipv6addrconf addrconfdadwork Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 ubsanepilogue lib/ubsan.c:231 [inline] __ubsanhandleshiftoutofbounds+0x3c8/0x420 lib/ubsan.c:468 flowclassify+0x24d5/0x25b0 net/sched/clsflow.c:329 tcclassify include/net/tc_wrapper.h:197 [inline] __tcfclassify net/sched/clsapi.c:1771 [inline] tcfclassify+0x420/0x1160 net/sched/clsapi.c:1867 sfbclassify net/sched/schsfb.c:260 [inline] sfbenqueue+0x3ad/0x18b0 net/sched/schsfb.c:318 devqdiscenqueue+0x4b/0x290 net/core/dev.c:3793 __devxmitskb net/core/dev.c:3889 [inline] __devqueuexmit+0xf0e/0x3f50 net/core/dev.c:4400 devqueuexmit include/linux/netdevice.h:3168 [inline] neighhhoutput include/net/neighbour.h:523 [inline] neighoutput include/net/neighbour.h:537 [inline] ipfinishoutput2+0xd41/0x1390 net/ipv4/ipoutput.c:236 iptunnelxmit+0x55d/0x9b0 net/ipv4/iptunnelcore.c:82 udptunnelxmitskb+0x262/0x3b0 net/ipv4/udptunnelcore.c:173 genevexmitskb drivers/net/geneve.c:916 [inline] geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 __netdevstartxmit include/linux/netdevice.h:5002 [inline] netdevstartxmit include/linux/netdevice.h:5011 [inline] xmitone net/core/dev.c:3590 [inline] devhardstartxmit+0x27a/0x7d0 net/core/dev.c:3606 __devqueuexmit+0x1b73/0x3f50 net/core/dev.c:4434

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21653.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e5dfb815181fcb186d6080ac3a091eadff2d98fe
Fixed
9858f4afeb2e59506e714176bd3e135539a3eeec
Fixed
43658e4a5f2770ad94e93362885ff51c10cf3179
Fixed
a313d6e6d5f3a631cae5a241c392c28868aa5c5e
Fixed
2011749ca96460386844dfc7e0fde53ebee96f3c
Fixed
e54beb9aed2a90dddf4c5d68fcfc9a01f3e40a61
Fixed
6fde663f7321418996645ee602a473457640542f
Fixed
a039e54397c6a75b713b9ce7894a62e06956aa92

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21653.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.25
Fixed
5.4.290
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.234
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.177
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.125
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.72
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.10

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21653.json"