CVE-2025-21920: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21920 is a vulnerability discovered in the Linux kernel that affects VLAN device creation functionality. The vulnerability was disclosed on April 1, 2025, and received its initial analysis from NIST on April 11, 2025. The issue affects multiple versions of the Linux kernel, including versions from 2.6.35 up to 6.14-rc5 (NVD).

The vulnerability stems from a design flaw where VLAN devices can be created on top of non-ethernet devices. When creating a VLAN device, the system initializes GARP (garpinitapplicant) and MRP (mrpinitapplicant) for the underlying device. During initialization, multicast addresses are added to the underlying device through devmcadd. The _devmcadd function uses dev->addrlen to determine the length of the new multicast address, which causes an out-of-bounds read if dev->addr_len is greater than 6 bytes, as GARP and MRP multicast addresses are only 6 bytes long. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H and is classified as CWE-125 (Out-of-bounds Read) (NVD).

The vulnerability can lead to information disclosure by leaking the address of a kernel function to usermode, potentially compromising system security. The high CVSS score indicates significant potential impact on system confidentiality and availability (NVD).

The vulnerability has been fixed by enforcing the type checking of the underlying device during VLAN device initialization. Multiple Linux distributions have released security updates to address this issue, including Debian which included the fix in version 6.1.133-1 (Debian Security).