ghsa-qc6x-3767-556f
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device
ethnl_req_get_phydev() is used to lookup a phy_device, in the case an ethtool netlink command targets a specific phydev within a netdev's topology.
It takes as a parameter a const struct nlattr *header that's used for error handling :
if (!phydev) {
NL_SET_ERR_MSG_ATTR(extack, header,
"no phy matching phyindex");
return ERR_PTR(-ENODEV);
}
In the notify path after a ->set operation however, there's no request attributes available.
The typical callsite for the above function looks like:
phydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],
info->extack);
So, when tb is NULL (such as in the ethnl notify path), we have a nice crash.
It turns out that there's only the PLCA command that is in that case, as the other phydev-specific commands don't have a notification.
This commit fixes the crash by passing the cmd index and the nlattr array separately, allowing NULL-checking it directly inside the helper.
{
"affected": [],
"aliases": [
"CVE-2025-21921"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T16:15:22Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethtool: netlink: Allow NULL nlattrs when getting a phy_device\n\nethnl_req_get_phydev() is used to lookup a phy_device, in the case an\nethtool netlink command targets a specific phydev within a netdev\u0027s\ntopology.\n\nIt takes as a parameter a const struct nlattr *header that\u0027s used for\nerror handling :\n\n if (!phydev) {\n NL_SET_ERR_MSG_ATTR(extack, header,\n \"no phy matching phyindex\");\n return ERR_PTR(-ENODEV);\n }\n\nIn the notify path after a -\u003eset operation however, there\u0027s no request\nattributes available.\n\nThe typical callsite for the above function looks like:\n\n\tphydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],\n\t\t\t\t info-\u003eextack);\n\nSo, when tb is NULL (such as in the ethnl notify path), we have a nice\ncrash.\n\nIt turns out that there\u0027s only the PLCA command that is in that case, as\nthe other phydev-specific commands don\u0027t have a notification.\n\nThis commit fixes the crash by passing the cmd index and the nlattr\narray separately, allowing NULL-checking it directly inside the helper.",
"id": "GHSA-qc6x-3767-556f",
"modified": "2025-10-31T18:31:11Z",
"published": "2025-04-01T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21921"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f458fa42c29144cef280e05bc49fc21b873d897"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/637399bf7e77797811adf340090b561a8f9d1213"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/639c70352958735addbba5ae7dd65985da96e061"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.