PT-2025-6936 · Linux+7 · Linux Kernel+7

Lion Ackermann

Published

2025-01-15

Updated

2026-01-14

CVE-2025-21700

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Linux Kernel (affected versions not specified)

Description: A vulnerability in the Linux kernel has been resolved, which allowed for the replacement of a child qdisc from one parent to another. This issue was discovered by Lion Ackermann, who was able to create a Use-After-Free (UAF) condition that could be abused for privilege escalation. The vulnerability is related to the tc qdisc replace command, which can lead to a situation where a qdisc is replaced with another one, causing a UAF condition. The patch takes a preventive approach by disallowing such configuration.

Technical details about exploitation include:

API Endpoints: /dev/lo is used as the device for the tc qdisc and tc class commands.
Vulnerable Parameters or Variables: handle, parent, classid, and priority are used in the tc qdisc and tc class commands.
Function Names: tc qdisc add, tc qdisc replace, tc class add, and tc class delete are used to manipulate the qdisc and class configurations.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

LPE

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALT-PU-2025-12647

ALT-PU-2025-5012

ALT-PU-2025-5359

ALT-PU-2025-5361

ALT-PU-2025-5437

AZL-59079

BDU:2025-10244

CVE-2025-21700

DLA-4102-1

DLA-4178-1

MGASA-2025-0078

MGASA-2025-0079

OESA-2025-1282

OESA-2025-1446

OESA-2025-1450

OESA-2025-1963

OESA-2025-1964

OPENSUSE-SU-2025_0847-1

OPENSUSE-SU-2025_0856-1

OPENSUSE-SU-2025_0955-1

SUSE-SU-2025:02099-1

SUSE-SU-2025:02264-1

SUSE-SU-2025:02308-1

SUSE-SU-2025:02320-1

SUSE-SU-2025:02321-1

SUSE-SU-2025:02322-1

SUSE-SU-2025:02537-1

SUSE-SU-2025:0784-1

SUSE-SU-2025:0834-1

SUSE-SU-2025:0847-1

SUSE-SU-2025:0856-1

SUSE-SU-2025:0955-1

SUSE-SU-2025:20190-1

SUSE-SU-2025:20192-1

SUSE-SU-2025:20260-1

SUSE-SU-2025:20270-1

SUSE-SU-2025:2264-1

SUSE-SU-2025_02099-1

SUSE-SU-2025_02264-1

SUSE-SU-2025_02308-1

SUSE-SU-2025_02537-1

SUSE-SU-2025_0834-1

SUSE-SU-2025_0847-1

SUSE-SU-2025_0856-1

SUSE-SU-2025_0955-1

USN-7428-1

USN-7428-2

USN-7429-1

USN-7429-2

USN-7445-1

USN-7448-1

USN-7449-1

USN-7449-2

USN-7450-1

USN-7451-1

USN-7452-1

USN-7453-1

USN-7455-1

USN-7455-2

USN-7455-3

USN-7455-4

USN-7455-5

USN-7459-1

USN-7459-2

USN-7460-1

USN-7461-1

USN-7461-2

USN-7461-3

USN-7462-1

USN-7462-2

USN-7463-1

USN-7468-1

USN-7475-1

USN-7523-1

USN-7524-1

USN-7539-1

USN-7540-1

Affected Products

Alt Linux

Astra Linux

Debian

Linux Kernel

Linuxmint

Red Os

Suse

Ubuntu

PT-2025-6936 · Linux+7 · Linux Kernel+7

CVE-2025-21700

Weakness Enumeration

Related Identifiers

Affected Products

References · 2910