CVE-2025-21806: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21806 affects the Linux kernel's network subsystem, specifically related to the net.core.devweight sysctl parameter. The vulnerability was discovered in January 2025 and involves a stability issue where setting net.core.devweight to zero can cause system instability. The issue affects Linux kernel versions up to 6.13.0-rc7 (Debian Security).

The vulnerability occurs when the NAPI (New API) poll function processbacklog returns 0 and clears the NAPISTATESCHED bit of napi->state when napi's weight is set to 0. This causes the NAPI to be re-polled in netrxaction() until _dosoftirq() times out. Since the NAPISTATESCHED bit is cleared, napischedulerps() can be retriggered in enqueuetobacklog(), leading to a listadd double add condition (Kernel Commit).

The vulnerability can cause system instability and kernel warnings when exploited. The issue can be triggered using system-wide administrator privileges by setting the net.core.dev_weight parameter to zero, though the setting is not namespaced (Debian Security).

The issue has been fixed by ensuring that net.core.devweight always remains non-zero through the implementation of procdointvecminmax with SYSCTLONE as the minimum value. The fix has been incorporated into newer kernel versions, and affected distributions have released patches (Kernel Commit).