Improper locking in Linux kernel switchdev

1) Improper locking

EUVDB-ID: #VU106741

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-21986

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the switchdev_port_obj_act_is_deferred(), EXPORT_SYMBOL_GPL() and call_switchdev_blocking_notifiers() functions in net/switchdev/switchdev.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 6.13 - 6.13.7

CPE2.3

• cpe:2.3:o:linux_foundation:linux_kernel:6.13:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.13.1:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.13.2:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.13.3:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.13.4:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.13.5:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.13.6:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.13.7:*:*:*:*:*:*:*

External links

https://git.kernel.org/stable/c/1f7d051814e7a0cb1f0717ed5527c1059992129d
https://git.kernel.org/stable/c/62531a1effa87bdab12d5104015af72e60d926ff
https://git.kernel.org/stable/c/a597d4b75669ec82c72cbee9fe75a15d04b35b2b
https://git.kernel.org/stable/c/af757f5ee3f754c5dceefb05c12ff37cb46fc682
https://git.kernel.org/stable/c/f9ed3fb50b872bd78bcb01f25087f9e4e25085d8
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.13.8

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.