#VU106806 Input validation error in Linux kernel - CVE-2025-21970
Vulnerability identifier: #VU106806
Vulnerability risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the mlx5_esw_bridge_lag_rep_get(), mlx5_esw_bridge_is_local() and mlx5_esw_bridge_switchdev_event() functions in drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c. A local user can perform a denial of service (DoS) attack.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Linux kernel: 6.12, 6.12.1, 6.12.2, 6.12.3, 6.12.4, 6.12.5, 6.12.6, 6.12.7, 6.12.8, 6.12.9, 6.12.10, 6.12.11, 6.12.12, 6.12.13, 6.12.14, 6.12.15, 6.12.16, 6.12.17, 6.12.18, 6.12.19
External links
https://git.kernel.org/stable/c/4b8eeed4fb105770ce6dc84a2c6ef953c7b71cbb
https://git.kernel.org/stable/c/5dd8bf6ab1d6db40f5d09603759fa88caec19e7f
https://git.kernel.org/stable/c/86ff45f5f61ae1d0d17f0f6d8797b052eacfd8f1
https://git.kernel.org/stable/c/bd7e3a42800743a7748c83243e4cafc1b995d4c4
https://git.kernel.org/stable/c/f7bf259a04271165ae667ad21cfc60c6413f25ca
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.20
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
