CVE-2025-21851: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21851 affects the Linux kernel's BPF subsystem, specifically related to arenamapfree functionality. The vulnerability was discovered in March 2025 and affects Linux kernel versions from 6.9 to 6.13.5. The issue occurs on aarch64 kernels with CONFIGPAGESIZE64KB=y configuration, where arenahtab tests can trigger a segmentation fault and soft lockup (NVD).

The vulnerability stems from arenamapfree() calling applytoexistingpagerange() with an unaligned address returned by bpfarenagetkernvmstart(). When this unaligned address is passed to applytopterange(), it causes a soft lockup. The issue is specific to 64KB page size configurations on aarch64 architecture and is not observed with 4KB pages. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 LOW with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability can cause system instability through segmentation faults and soft lockups on affected systems. The impact is limited to systems running on aarch64 architecture with 64KB page size configuration enabled (NVD).

The issue has been fixed by rounding up GUARDSZ to PAGESIZE << 1 so that the division by 2 in bpfarenagetkernvm_start() returns a page-aligned value. The fix is available in the kernel patch 517e8a7835e8cfb398a0aeb0133de50e31cae32b (Kernel Patch).