CVE-2025-21759: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21759 affects the Linux kernel's IPv6 multicast functionality. The vulnerability was discovered in February 2025 and involves a potential Use-After-Free (UAF) issue in the igmp6send() function. The vulnerability occurs because igmp6send() can be called without RTNL or RCU being held, which could lead to unsafe network pointer fetching (Kernel Git).

The vulnerability exists in the igmp6send() function within the IPv6 multicast implementation. The issue stems from insufficient RCU (Read-Copy-Update) protection when accessing network namespace pointers. The function previously used sockallocsendskb() which was problematic because ipv6.igmpsk uses GFPKERNEL allocations that can sleep. The fix involves extending RCU protection and using allocskb() instead, while charging the net->ipv6.igmpsk socket under RCU protection (Kernel Git). The vulnerability has been assigned a CVSS v3.1 score of 5.5 (Medium) (Snyk).

The vulnerability could lead to a Use-After-Free condition when handling IPv6 multicast operations. This could potentially result in system crashes or memory corruption. The primary impact is on system availability, with a potential for complete loss of availability while the attack is ongoing (Snyk).

The vulnerability has been patched in the Linux kernel through a commit that extends RCU protection in igmp6send(). The fix involves changing the memory allocation method from sockallocsendskb() to alloc_skb() and ensuring proper RCU protection when accessing network namespace pointers (Kernel Git). For CentOS 7, there is currently no fixed version available (Snyk).