PT-2025-6065 · Linux+7 · Linux Kernel+7

Haowei Yan

·

Published

2025-01-11

·

Updated

2026-01-29

·

CVE-2025-21692

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.12.6
Description The issue is related to an Out-Of-Bounds indexing vulnerability in the ets class from arg() function when passed a clid of 0. This overflow may cause local privilege escalation. The vulnerability was discovered by Haowei Yan.
Technical details about exploitation include:
  • The ets class from arg() function is vulnerable to Out-Of-Bounds indexing.
  • The clid variable is used in this function and passing a value of 0 can cause the overflow.
  • The tc ctl tclass() and ets class change() functions are also involved in the call trace.
  • The /net/sched/sch ets.c file is where the vulnerability is located.
Recommendations To resolve the issue, update the Linux kernel to a version that includes the fix for the ets class from arg() Out-Of-Bounds indexing vulnerability. As a temporary workaround, consider restricting access to the vulnerable ets class from arg() function until a patch is available.

Exploit

Fix

LPE

RCE

Out of bounds Read

Improper Validation of Array Index

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-125CWE-129

Related Identifiers

ALSA-2025_12746
ALSA-2025_12752
ALSA-2025_12753
ALSA-2025_16880
ALT-PU-2025-12647
ALT-PU-2025-3469
ALT-PU-2025-3514
ALT-PU-2025-5437
AZL-57012
AZL-57028
BDU:2025-01841
CVE-2025-21692
DLA-4075-1
DLA-4076-1
LSN-0117-1
MGASA-2025-0078
MGASA-2025-0079
OESA-2025-1446
OESA-2025-1450
OESA-2025-1963
OESA-2025-1964
OPENSUSE-SU-2025_0833-1
OPENSUSE-SU-2025_0835-1
OPENSUSE-SU-2025_0847-1
OPENSUSE-SU-2025_0853-1
OPENSUSE-SU-2025_0855-1
OPENSUSE-SU-2025_0856-1
OPENSUSE-SU-2025_0955-1
SUSE-SU-2025:03465-1
SUSE-SU-2025:03468-1
SUSE-SU-2025:03469-1
SUSE-SU-2025:03472-1
SUSE-SU-2025:03494-1
SUSE-SU-2025:03503-1
SUSE-SU-2025:03504-1
SUSE-SU-2025:03514-1
SUSE-SU-2025:03528-1
SUSE-SU-2025:03538-1
SUSE-SU-2025:03539-1
SUSE-SU-2025:03543-1
SUSE-SU-2025:03548-1
SUSE-SU-2025:03553-1
SUSE-SU-2025:03554-1
SUSE-SU-2025:03555-1
SUSE-SU-2025:03557-1
SUSE-SU-2025:03566-1
SUSE-SU-2025:03569-1
SUSE-SU-2025:03571-1
SUSE-SU-2025:03580-1
SUSE-SU-2025:0784-1
SUSE-SU-2025:0833-1
SUSE-SU-2025:0833-2
SUSE-SU-2025:0835-1
SUSE-SU-2025:0847-1
SUSE-SU-2025:0853-1
SUSE-SU-2025:0855-1
SUSE-SU-2025:0856-1
SUSE-SU-2025:0867-1
SUSE-SU-2025:0945-1
SUSE-SU-2025:0955-1
SUSE-SU-2025:20190-1
SUSE-SU-2025:20192-1
SUSE-SU-2025:20260-1
SUSE-SU-2025:20270-1
SUSE-SU-2025:20806-1
SUSE-SU-2025:20807-1
SUSE-SU-2025:20808-1
SUSE-SU-2025:20813-1
SUSE-SU-2025:20814-1
SUSE-SU-2025:20819-1
SUSE-SU-2025:20826-1
SUSE-SU-2025:20827-1
SUSE-SU-2025:20832-1
SUSE-SU-2025:20833-1
SUSE-SU-2025:20834-1
SUSE-SU-2025:20835-1
SUSE-SU-2025:20840-1
SUSE-SU-2025:20841-1
SUSE-SU-2025_0833-1
SUSE-SU-2025_0833-2
SUSE-SU-2025_0835-1
SUSE-SU-2025_0847-1
SUSE-SU-2025_0855-1
SUSE-SU-2025_0856-1
SUSE-SU-2025_0955-1
USN-7387-1
USN-7387-2
USN-7387-3
USN-7388-1
USN-7389-1
USN-7390-1
USN-7407-1
USN-7421-1
USN-7445-1
USN-7448-1
USN-7458-1
USN-7459-1
USN-7459-2
USN-7595-1
USN-7595-2
USN-7595-3
USN-7595-4
USN-7595-5
USN-7596-1
USN-7596-2
USN-7653-1

Affected Products

Alt Linux
Astra Linux
Debian
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu