CVE-2025-21857: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21857 is a NULL pointer dereference vulnerability discovered in the Linux kernel's network scheduling component. The vulnerability was disclosed on March 12, 2025, affecting various versions of the Linux kernel including versions 6.13 through 6.13.5, 6.7 through 6.12.17, and 6.3 through 6.6.80. The issue occurs in the net/sched/clsapi.c file where improper error handling in the tcfextsmisscookiebasealloc() function can lead to a NULL pointer dereference (NVD).

The vulnerability stems from incorrect error handling in the tcfextsmisscookiebasealloc() function. When xaalloccyclic() returns 1 (indicating successful allocation after wrapping), it is incorrectly treated as an error. This causes tcfextsinitex() to set exts->actions to NULL and return 1 to flchange(). The flchange() function then treats this as a success, leading to tcfextsvalidateex() calling tcfaction_init() with a NULL exts->actions argument, resulting in a NULL pointer dereference. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) (NVD).

The vulnerability can result in a kernel NULL pointer dereference, which typically leads to a system crash or denial of service condition. This can affect system stability and availability, particularly in environments where the affected network scheduling components are actively used (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves modifying the error handling logic in tcfextsmisscookiebase_alloc() to properly check for negative error values instead of treating all non-zero values as errors. The patch is available through multiple kernel version updates and has been backported to affected stable kernel versions (Kernel Patch).