CVE-2025-21681: Linux Kernel Open vSwitch Lockup Fixed on TX to Unregistering Netdev with Carrier

In the ever-evolving security landscape, vulnerabilities are a common occurrence that requires prompt action. It's worth noting that a new vulnerability, CVE-2025-21681, has been identified and resolved in the Linux kernel open vSwitch. In this post, we will discuss this issue, the code snippet for the fix, and provide links to original references.

The Vulnerability

The problem arises in the open vSwitch Linux kernel module, which is responsible for performing advanced virtual switching functions on a software level. A lockup occurs during transmission to an unregistering network device with carrier status when the device is unregistering.

To fix this issue, the following sequence of calls has been committed to address the lock-up problem

do_output
-> ovs_vport_send
   -> dev_queue_xmit
      -> __dev_queue_xmit
         -> netdev_core_pick_tx
            -> skb_tx_hash

The lockup occurs due to an infinite loop in the skb_tx_hash() function, which is caused by the 'dev->real_num_tx_queues' variable going to zero when the device is unregistering.

However, simply checking the carrier status isn't enough. Some devices, like the net/dummy, might still be in an unregistering state but report carrier status OK. To address this issue, the fix implemented in the Linux kernel checks whether the device is running alongside the carrier status.

You can find more information about this vulnerability and its fix in the following references

- Linux kernel commit
- Open vSwitch project

Exploit Details

The exploit is triggered when sending packets to a device that is unregistering but still reporting its carrier status as OK. One example of such a device is the net/dummy device, which is commonly used as a packet sink for tcpdump when debugging open vSwitch deployments. When the issue occurs, the only way to recover is to reboot the system.

Conclusion

The Linux kernel open vSwitch vulnerability, CVE-2025-21681, has been identified and resolved by implementing a fix that checks both the carrier status and whether the device is running. This fix prevents the lockup issue and ensures a stable open vSwitch environment, making it essential for users and administrators to update their Linux kernel to the version containing this fix.

Timeline

Published on: 01/31/2025 12:15:29 UTC
Last modified on: 02/21/2025 16:54:12 UTC