{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21777", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.763Z", "datePublished": "2025-02-27T02:18:22.008Z", "dateUpdated": "2025-05-04T07:20:57.840Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:20:57.840Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Validate the persistent meta data subbuf array\n\nThe meta data for a mapped ring buffer contains an array of indexes of all\nthe subbuffers. The first entry is the reader page, and the rest of the\nentries lay out the order of the subbuffers in how the ring buffer link\nlist is to be created.\n\nThe validator currently makes sure that all the entries are within the\nrange of 0 and nr_subbufs. But it does not check if there are any\nduplicates.\n\nWhile working on the ring buffer, I corrupted this array, where I added\nduplicates. The validator did not catch it and created the ring buffer\nlink list on top of it. Luckily, the corruption was only that the reader\npage was also in the writer path and only presented corrupted data but did\nnot crash the kernel. But if there were duplicates in the writer side,\nthen it could corrupt the ring buffer link list and cause a crash.\n\nCreate a bitmask array with the size of the number of subbuffers. Then\nclear it. When walking through the subbuf array checking to see if the\nentries are within the range, test if its bit is already set in the\nsubbuf_mask. If it is, then there is duplicates and fail the validation.\nIf not, set the corresponding bit and continue."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/trace/ring_buffer.c"], "versions": [{"version": "c76883f18e59b762247ee91d3e4224231711854e", "lessThan": "3ec743d558f111d8999aea24577ba66c65ee2eeb", "status": "affected", "versionType": "git"}, {"version": "c76883f18e59b762247ee91d3e4224231711854e", "lessThan": "0d547a6f5e8fad26ebc12f501d7d19fccdbad6bf", "status": "affected", "versionType": "git"}, {"version": "c76883f18e59b762247ee91d3e4224231711854e", "lessThan": "f5b95f1fa2ef3a03f49eeec658ba97e721412b32", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/trace/ring_buffer.c"], "versions": [{"version": "6.12", "status": "affected"}, {"version": "0", "lessThan": "6.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.16", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.4", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.12.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.13.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3ec743d558f111d8999aea24577ba66c65ee2eeb"}, {"url": "https://git.kernel.org/stable/c/0d547a6f5e8fad26ebc12f501d7d19fccdbad6bf"}, {"url": "https://git.kernel.org/stable/c/f5b95f1fa2ef3a03f49eeec658ba97e721412b32"}], "title": "ring-buffer: Validate the persistent meta data subbuf array", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "537F3B42-2EC5-47FB-8166-5ACF0353AFEC", "versionEndExcluding": "6.12.16", "versionStartIncluding": "6.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A2093ED-74A9-43F9-AC72-50030F374EA4", "versionEndExcluding": "6.13.4", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Validate the persistent meta data subbuf array\n\nThe meta data for a mapped ring buffer contains an array of indexes of all\nthe subbuffers. The first entry is the reader page, and the rest of the\nentries lay out the order of the subbuffers in how the ring buffer link\nlist is to be created.\n\nThe validator currently makes sure that all the entries are within the\nrange of 0 and nr_subbufs. But it does not check if there are any\nduplicates.\n\nWhile working on the ring buffer, I corrupted this array, where I added\nduplicates. The validator did not catch it and created the ring buffer\nlink list on top of it. Luckily, the corruption was only that the reader\npage was also in the writer path and only presented corrupted data but did\nnot crash the kernel. But if there were duplicates in the writer side,\nthen it could corrupt the ring buffer link list and cause a crash.\n\nCreate a bitmask array with the size of the number of subbuffers. Then\nclear it. When walking through the subbuf array checking to see if the\nentries are within the range, test if its bit is already set in the\nsubbuf_mask. If it is, then there is duplicates and fail the validation.\nIf not, set the corresponding bit and continue."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ring-buffer: validar la matriz de subbuf de metadatos persistentes Los metadatos de un b\u00fafer de anillo asignado contienen una matriz de \u00edndices de todos los subb\u00faferes. La primera entrada es la p\u00e1gina del lector y el resto de las entradas establecen el orden de los subb\u00faferes en c\u00f3mo se crear\u00e1 la lista de enlaces del b\u00fafer de anillo. El validador actualmente se asegura de que todas las entradas est\u00e9n dentro del rango de 0 y nr_subbufs. Pero no verifica si hay duplicados. Mientras trabajaba en el b\u00fafer de anillo, corromp\u00ed esta matriz, donde agregu\u00e9 duplicados. El validador no lo detect\u00f3 y cre\u00f3 la lista de enlaces del b\u00fafer de anillo encima. Afortunadamente, la corrupci\u00f3n fue solo que la p\u00e1gina del lector tambi\u00e9n estaba en la ruta del escritor y solo present\u00f3 datos corruptos pero no bloque\u00f3 el kernel. Pero si hab\u00eda duplicados en el lado del escritor, entonces podr\u00eda corromper la lista de enlaces del b\u00fafer de anillo y causar un bloqueo. Cree una matriz de m\u00e1scara de bits con el tama\u00f1o del n\u00famero de subb\u00faferes. Luego, b\u00f3rrelo. Al recorrer la matriz subbuf para verificar si las entradas est\u00e1n dentro del rango, verifique si su bit ya est\u00e1 configurado en subbuf_mask. Si es as\u00ed, entonces hay duplicados y falla la validaci\u00f3n. Si no es as\u00ed, configure el bit correspondiente y contin\u00fae."}], "id": "CVE-2025-21777", "lastModified": "2025-10-28T20:36:53.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-27T03:15:18.377", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0d547a6f5e8fad26ebc12f501d7d19fccdbad6bf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3ec743d558f111d8999aea24577ba66c65ee2eeb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f5b95f1fa2ef3a03f49eeec658ba97e721412b32"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ring-buffer: Validate the persistent meta data subbuf array", "id": "2348593", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348593"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nring-buffer: Validate the persistent meta data subbuf array\nThe meta data for a mapped ring buffer contains an array of indexes of all\nthe subbuffers. The first entry is the reader page, and the rest of the\nentries lay out the order of the subbuffers in how the ring buffer link\nlist is to be created.\nThe validator currently makes sure that all the entries are within the\nrange of 0 and nr_subbufs. But it does not check if there are any\nduplicates.\nWhile working on the ring buffer, I corrupted this array, where I added\nduplicates. The validator did not catch it and created the ring buffer\nlink list on top of it. Luckily, the corruption was only that the reader\npage was also in the writer path and only presented corrupted data but did\nnot crash the kernel. But if there were duplicates in the writer side,\nthen it could corrupt the ring buffer link list and cause a crash.\nCreate a bitmask array with the size of the number of subbuffers. Then\nclear it. When walking through the subbuf array checking to see if the\nentries are within the range, test if its bit is already set in the\nsubbuf_mask. If it is, then there is duplicates and fail the validation.\nIf not, set the corresponding bit and continue."], "name": "CVE-2025-21777", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21777\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21777\nhttps://lore.kernel.org/linux-cve-announce/2025022607-CVE-2025-21777-0c96@gregkh/T"], "threat_severity": "Moderate"}

{}