vulnerability
Ubuntu: (Multiple Advisories) (CVE-2025-21910): Linux kernel vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:L/AC:L/Au:S/C:N/I:N/A:C) | Apr 1, 2025 | May 20, 2025 | Jun 3, 2025 |
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: regulatory: improve invalid hints checking
Syzbot keeps reporting an issue [1] that occurs when erroneous symbols
sent from userspace get through into user_alpha2[] via
regulatory_hint_user() call. Such invalid regulatory hints should be
rejected.
While a sanity check from commit 47caf685a685 ("cfg80211: regulatory:
reject invalid hints") looks to be enough to deter these very cases,
there is a way to get around it due to 2 reasons.
1) The way isalpha() works, symbols other than latin lower and
upper letters may be used to determine a country/domain.
For instance, greek letters will also be considered upper/lower
letters and for such characters isalpha() will return true as well.
However, ISO-3166-1 alpha2 codes should only hold latin
characters.
2) While processing a user regulatory request, between
reg_process_hint_user() and regulatory_hint_user() there happens to
be a call to queue_regulatory_request() which modifies letters in
request->alpha2[] with toupper(). This works fine for latin symbols,
less so for weird letter characters from the second part of _ctype[].
Syzbot triggers a warning in is_user_regdom_saved() by first sending
over an unexpected non-latin letter that gets malformed by toupper()
into a character that ends up failing isalpha() check.
Prevent this by enhancing is_an_alpha2() to ensure that incoming
symbols are latin letters and nothing else.
[1] Syzbot report:
------------[ cut here ]------------
Unexpected user alpha2: A?
WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline]
WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline]
WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516
Modules linked in:
CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events_power_efficient crda_timeout_work
RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline]
RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline]
RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516
...
Call Trace:
crda_timeout_work+0x27/0x50 net/wireless/reg.c:542
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Solution(s)
References
- CVE-2025-21910
- https://attackerkb.com/topics/CVE-2025-21910
- UBUNTU-USN-7510-1
- UBUNTU-USN-7510-2
- UBUNTU-USN-7510-3
- UBUNTU-USN-7510-4
- UBUNTU-USN-7510-5
- UBUNTU-USN-7510-6
- UBUNTU-USN-7510-7
- UBUNTU-USN-7510-8
- UBUNTU-USN-7511-1
- UBUNTU-USN-7511-2
- UBUNTU-USN-7511-3
- UBUNTU-USN-7512-1
- UBUNTU-USN-7516-1
- UBUNTU-USN-7516-2
- UBUNTU-USN-7516-3
- UBUNTU-USN-7516-4
- UBUNTU-USN-7516-5
- UBUNTU-USN-7516-6
- UBUNTU-USN-7516-7
- UBUNTU-USN-7516-8
- UBUNTU-USN-7516-9
- UBUNTU-USN-7517-1
- UBUNTU-USN-7517-2
- UBUNTU-USN-7517-3
- UBUNTU-USN-7518-1
- UBUNTU-USN-7539-1
- UBUNTU-USN-7540-1
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.