CVE-2025-21808— net: xdp: Disallow attaching device-bound programs in generic mode

AI Predicted 5.5 Difficulty: Moderate EPSS 0.02% · P6 Updated May 13, 2026

Affected Version Matrix 10

Vendor	Product	Version Range	Status
Linux	Linux	`2b3486bc2d237ec345b3942b7be5deabf8c8fed1< b1bc4a35a04cbeb85b6ef5911ec015baa424989f`	affected
		`2b3486bc2d237ec345b3942b7be5deabf8c8fed1< 557707906dd3e34b8a8c265f664d19f95799937e`	affected
		`2b3486bc2d237ec345b3942b7be5deabf8c8fed1< 5a9eae683d6c36e8a7aa31e5eb8b369e41aa66e1`	affected
		`2b3486bc2d237ec345b3942b7be5deabf8c8fed1< 3595599fa8360bb3c7afa7ee50c810b4a64106ea`	affected
		`6.3`	affected
		`< 6.3`	unaffected
		`6.6.76≤ 6.6.*`	unaffected
		`6.12.13≤ 6.12.*`	unaffected
… +2 more rows

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-21808

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

net: xdp: Disallow attaching device-bound programs in generic mode

Source: NVD (National Vulnerability Database)

Vulnerability Description

In the Linux kernel, the following vulnerability has been resolved: net: xdp: Disallow attaching device-bound programs in generic mode Device-bound programs are used to support RX metadata kfuncs. These kfuncs are driver-specific and rely on the driver context to read the metadata. This means they can't work in generic XDP mode. However, there is no check to disallow such programs from being attached in generic mode, in which case the metadata kfuncs will be called in an invalid context, leading to crashes. Fix this by adding a check to disallow attaching device-bound programs in generic mode.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Title

Linux kernel 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞，该漏洞源于未禁止在通用模式下附加设备绑定程序，可能导致崩溃。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Linux	Linux	2b3486bc2d237ec345b3942b7be5deabf8c8fed1 ~ b1bc4a35a04cbeb85b6ef5911ec015baa424989f	-
Linux	Linux	6.3	-

II. Public POCs for CVE-2025-21808

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-21808

请登录查看更多情报信息。

Patches & Fixes for CVE-2025-21808 (4)

https://nvd.nist.gov/vuln/detail/CVE-2025-21808

Same Patch Batch · Linux · 2025-02-27 · 177 CVEs total

CVE-2025-21756	7.8 HIGH	vsock: Keep the binding until socket destruction
CVE-2025-21770		iommu: Fix potential memory leak in iopf_queue_remove_device()
CVE-2025-21761		openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
CVE-2025-21763		neighbour: use RCU protection in __neigh_notify()
CVE-2025-21762		arp: use RCU protection in arp_xmit()
CVE-2025-21764		ndisc: use RCU protection in ndisc_alloc_skb()
CVE-2025-21765		ipv6: use RCU protection in ip6_default_advmss()
CVE-2025-21766		ipv4: use RCU protection in __ip_rt_update_pmtu()
CVE-2025-21767		clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context
CVE-2025-21769		ptp: vmclock: Add .owner to vmclock_miscdev_fops
CVE-2025-21768		net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels
CVE-2025-21771		sched_ext: Fix incorrect autogroup migration detection
CVE-2025-21776		USB: hub: Ignore non-compliant devices with too many configs or interfaces
CVE-2025-21781		batman-adv: fix panic during interface removal
CVE-2025-21780		drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()
CVE-2025-21779		KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel
CVE-2025-21778		tracing: Do not allow mmap() of persistent ring buffer
CVE-2025-21777		ring-buffer: Validate the persistent meta data subbuf array
CVE-2025-21775		can: ctucanfd: handle skb allocation failure
CVE-2025-21773		can: etas_es58x: fix potential NULL pointer dereference on udev->serial

Showing top 20 of 177 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux

Same vendor: Linux

V. Comments for CVE-2025-21808

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-21808— net: xdp: Disallow attaching device-bound programs in generic mode

Affected Version Matrix 10

I. Basic Information for CVE-2025-21808

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-21808

III. Intelligence Information for CVE-2025-21808

Patches & Fixes for CVE-2025-21808 (4)

Same Patch Batch · Linux · 2025-02-27 · 177 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2025-21808

Leave a comment