CVE-2025-21899 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix bad hist from corrupting named_triggers list The following commands causes a crash: ~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger Because the following occurs: event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() { data = event_trigger_alloc(..); event_trigger_register(.., data) { cmd_ops->reg(.., data, ..) [hist_register_trigger()] { data->ops->init() [event_hist_trigger_init()] { save_named_trigger(name, data) { list_add(&data->named_list, &named_triggers); } } } } ret = create_actions(); (return -EINVAL) if (ret) goto out_unreg; [..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL test->ops->free(test) [event_hist_trigger_free()] { [..] if (data->name) del_named_trigger(data) { list_del(&data->named_list); <<<<-- NEVER gets removed! } } } } [..] kfree(data); <<<-- frees item but it is still on list The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash. Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list. A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc4::::::

No data.

References

Link	Providers
https://git.kernel.org/stable/c/435d2964af815aae456db554c62963b4515f19d0
https://git.kernel.org/stable/c/43b254d46c740bf9dbe65709afa021dd726dfa99
https://git.kernel.org/stable/c/5ae1b18f05ee2b849dc03b6c15d7da0c1c6efa77
https://git.kernel.org/stable/c/6f86bdeab633a56d5c6dccf1a2c5989b6a5e323e
https://git.kernel.org/stable/c/f1ae50cfb818ce1ac7a674406dfadb7653e2552d
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
https://lore.kernel.org/linux-cve-announce/2025040132-CVE-2025-21899-bf75@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-21899
https://www.cve.org/CVERecord?id=CVE-2025-21899

History

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Fri, 31 Oct 2025 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
Weaknesses		CWE-476
CPEs		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.14:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.14:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.14:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.14:rc4::::::
Vendors & Products		Linux Linux linux Kernel
Metrics	cvssV3_1 `{'score': 6.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 23 May 2025 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 6.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H'}`

Wed, 02 Apr 2025 14:00:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025040132-CVE-2025-21899-bf75@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-21899 https://www.cve.org/CVERecord?id=CVE-2025-21899
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Tue, 01 Apr 2025 15:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: tracing: Fix bad hist from corrupting named_triggers list The following commands causes a crash: ~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger Because the following occurs: event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() { data = event_trigger_alloc(..); event_trigger_register(.., data) { cmd_ops->reg(.., data, ..) [hist_register_trigger()] { data->ops->init() [event_hist_trigger_init()] { save_named_trigger(name, data) { list_add(&data->named_list, &named_triggers); } } } } ret = create_actions(); (return -EINVAL) if (ret) goto out_unreg; [..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL test->ops->free(test) [event_hist_trigger_free()] { [..] if (data->name) del_named_trigger(data) { list_del(&data->named_list); <<<<-- NEVER gets removed! } } } } [..] kfree(data); <<<-- frees item but it is still on list The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash. Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list. A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated.
Title		tracing: Fix bad hist from corrupting named_triggers list
References		https://git.kernel.org/stable/c/435d2964af815aae456db554c62963b4515f19d0 https://git.kernel.org/stable/c/43b254d46c740bf9dbe65709afa021dd726dfa99 https://git.kernel.org/stable/c/5ae1b18f05ee2b849dc03b6c15d7da0c1c6efa77 https://git.kernel.org/stable/c/6f86bdeab633a56d5c6dccf1a2c5989b6a5e323e https://git.kernel.org/stable/c/f1ae50cfb818ce1ac7a674406dfadb7653e2552d

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-04-01T15:26:50.791Z

Updated: 2025-11-03T19:38:45.924Z

Reserved: 2024-12-29T08:45:45.783Z

Link: CVE-2025-21899

Vulnrichment

No data.

NVD

Status : Modified

Published: 2025-04-01T16:15:20.327

Modified: 2025-11-03T20:17:25.817

Link: CVE-2025-21899

Redhat

Severity : Moderate

Publid Date: 2025-04-01T00:00:00Z

Links: CVE-2025-21899 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object