CVE-2025-21718

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-21718
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21718.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21718
Downstream
Related
Published
2025-02-27T02:07:27.971Z
Modified
2026-05-07T04:18:10.477269Z
Summary
net: rose: fix timer races against user threads
Details

In the Linux kernel, the following vulnerability has been resolved:

net: rose: fix timer races against user threads

Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread.

Add a check and rearm the timers if needed.

BUG: KASAN: slab-use-after-free in rosetimerexpiry+0x31d/0x360 net/rose/rose_timer.c:174 Read of size 2 at addr ffff88802f09b82a by task swapper/0/0

CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dumpstack lib/dumpstack.c:94 [inline] dump_stacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x169/0x550 mm/kasan/report.c:489 kasanreport+0x143/0x180 mm/kasan/report.c:602 rosetimerexpiry+0x31d/0x360 net/rose/rosetimer.c:174 calltimerfn+0x187/0x650 kernel/time/timer.c:1793 expiretimers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __runtimerbase+0x66a/0x8e0 kernel/time/timer.c:2430 runtimerbase kernel/time/timer.c:2439 [inline] run_timersoftirq+0xb7/0x170 kernel/time/timer.c:2449 handlesoftirqs+0x2d4/0x9b0 kernel/softirq.c:561 __dosoftirq kernel/softirq.c:595 [inline] invokesoftirq kernel/softirq.c:435 [inline] _irqexitrcu+0xf7/0x220 kernel/softirq.c:662 irqexitrcu+0x9/0x30 kernel/softirq.c:678 instrsysvecapictimerinterrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvecapictimerinterrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 </IRQ>

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21718.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
52f5aff33ca73b2c2fa93f40a3de308012e63cf4
Fixed
0d5bca3be27bfcf8f980f2fed49b6cbb7dafe4a1
Fixed
1409b45d4690308c502c6caf22f01c3c205b4717
Fixed
f55c88e3ca5939a6a8a329024aed8f3d98eea8e4
Fixed
51c128ba038cf1b79d605cbee325919b45ab95a5
Fixed
1992fb261c90e9827cf5dc3115d89bb0853252c9
Fixed
58051a284ac18a3bb815aac6289a679903ddcc3f
Fixed
5de7665e0a0746b5ad7943554b34db8f8614a196

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21718.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.12
Fixed
5.4.291
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.235
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.179
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.129
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.76
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.13
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21718.json"