CVE-2025-21692: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21692 is a vulnerability discovered in the Linux kernel's Enhanced Transmission Selection (ETS) scheduler component. The vulnerability was first reported on February 10, 2025, and involves an Out-Of-Bounds (OOB) indexing issue in the etsclassfrom_arg() function when passed a clid of 0. This affects multiple versions of the Linux kernel from version 5.6 through 6.13-rc7 (NVD).

The vulnerability exists in the net/sched/schets.c file where the etsclassfromarg() function can index an Out-Of-Bound class when passed clid of 0. The issue was identified through UBSAN (Undefined Behavior Sanitizer) which detected an array-index-out-of-bounds error at line 93:20 of the source file. The CVSS v3.1 base score is 7.8 (HIGH) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to local privilege escalation when exploited. The security impact is particularly relevant when the Enhanced Transmission Selection scheduler is being used as part of qdisc. The bug affects systems where the sch_ets module is loaded, potentially allowing attackers to gain elevated privileges on the system (RedHat).

To mitigate this issue, system administrators can prevent the sch_ets module from being loaded. For systems that cannot be immediately patched, blacklisting the kernel module is recommended to prevent it from loading automatically. Fixed versions have been released for various Linux distributions, including version 6.1.128 for Debian bookworm and 6.12.12 for Debian trixie (Debian).