CVE-2025-21716: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21716 is a vulnerability discovered in the Linux kernel's VXLAN (Virtual Extensible LAN) implementation. The issue was identified in the vxlanvnifilterdump() function where an uninitialized value access could occur when processing netlink messages. The vulnerability was discovered and reported through the kernel's KMSAN (Kernel Memory Sanitizer) system (Kernel Commit).

The vulnerability occurs in the vxlanvnifilterdump() function when the length of the netlink message payload is less than sizeof(struct tunnel_msg). In such cases, the function would access bytes beyond the message boundary, leading to potential uninitialized value access. The issue was traced back to the original implementation of VNI filtering support on collect metadata device (Kernel Commit).

If exploited, this vulnerability could lead to unauthorized access to uninitialized kernel memory values. This could potentially expose sensitive information or lead to system instability (Kernel Commit).

The vulnerability has been patched by adding a length validation check before accessing the netlink message data. The fix involves returning an error (-EINVAL) when the message length is insufficient, preventing access to uninitialized memory. The patch has been merged into the mainline kernel (Kernel Commit).