VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Jan 19, 2025· Updated May 12, 2026

CVE-2025-21653

CVE-2025-21653

Description

In the Linux kernel, the following vulnerability has been resolved:

net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute

syzbot found that TCA_FLOW_RSHIFT attribute was not validated. Right shitfing a 32bit integer is undefined for large shift values.

UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace:

__dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1771 [inline] tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 sfb_classify net/sched/sch_sfb.c:260 [inline] sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 __dev_xmit_skb net/core/dev.c:3889 [inline] __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 geneve_xmit_skb drivers/net/geneve.c:916 [inline] geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, missing validation of the TCA_FLOW_RSHIFT attribute in cls_flow allows undefined behavior via large shift values, leading to a system crash.

Vulnerability

Details

CVE-2025-21653 is a vulnerability in the Linux kernel's net/sched cls_flow classifier. The TCA_FLOW_RSHIFT attribute, which specifies a right-shift amount for a 32-bit unsigned integer, was not validated before use. This allows an attacker to provide an excessively large shift exponent (e.g., 9445 as demonstrated by syzbot), triggering undefined behavior in the C language standard. The kernel's Undefined Behavior Sanitizer (UBSAN) detects the out-of-bounds shift and reports a shift-out-of-bounds error, leading to a kernel crash (denial of service) [1].

Exploitation

The vulnerability can be triggered by sending a crafted netlink message that sets TCA_FLOW_RSHIFT to an invalid value. The attack does not require authentication if the attacker already has the ability to modify traffic control (tc) filters, such as having local access or being able to inject netlink messages into the kernel. The crash occurs during packet classification when flow_classify() is called, as shown in the call trace involving the SFB scheduler and Geneve tunnel [1].

Impact

Successful exploitation results in a denial of service by crashing the kernel, specifically affecting systems that use the cls_flow classifier. This can disrupt network traffic processing and overall system availability. The vulnerability is rated Medium (CVSS 3.1 base score 5.5) due to its local attack vector and high availability impact [1].

Mitigation

The fix was applied to the Linux kernel by adding validation for the TCA_FLOW_RSHIFT attribute, ensuring the shift value is within the valid range (0-31) before use. The patch was committed to the stable kernel trees [3][4]. Users should update to a patched kernel version. The vulnerability also affects the SIMATIC S7-1500 TM MFP GNU/Linux subsystem, as listed in Siemens advisory SSA-265688 [2], which recommends following the kernel updates. No workaround is available beyond applying the patch.

References
  1. SSA-265688
  2. SSA-503939
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

73

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

11

News mentions

0

No linked articles in our index yet.