{"id":"CVE-2025-21921","summary":"net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethtool: netlink: Allow NULL nlattrs when getting a phy_device\n\nethnl_req_get_phydev() is used to lookup a phy_device, in the case an\nethtool netlink command targets a specific phydev within a netdev's\ntopology.\n\nIt takes as a parameter a const struct nlattr *header that's used for\nerror handling :\n\n       if (!phydev) {\n               NL_SET_ERR_MSG_ATTR(extack, header,\n                                   \"no phy matching phyindex\");\n               return ERR_PTR(-ENODEV);\n       }\n\nIn the notify path after a -\u003eset operation however, there's no request\nattributes available.\n\nThe typical callsite for the above function looks like:\n\n\tphydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],\n\t\t\t\t      info-\u003eextack);\n\nSo, when tb is NULL (such as in the ethnl notify path), we have a nice\ncrash.\n\nIt turns out that there's only the PLCA command that is in that case, as\nthe other phydev-specific commands don't have a notification.\n\nThis commit fixes the crash by passing the cmd index and the nlattr\narray separately, allowing NULL-checking it directly inside the helper.","modified":"2026-04-02T12:45:17.235818Z","published":"2025-04-01T15:40:55.110Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21921.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1f458fa42c29144cef280e05bc49fc21b873d897"},{"type":"WEB","url":"https://git.kernel.org/stable/c/637399bf7e77797811adf340090b561a8f9d1213"},{"type":"WEB","url":"https://git.kernel.org/stable/c/639c70352958735addbba5ae7dd65985da96e061"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21921.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21921"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c15e065b46dc4e19837275b826c1960d55564abd"},{"fixed":"639c70352958735addbba5ae7dd65985da96e061"},{"fixed":"1f458fa42c29144cef280e05bc49fc21b873d897"},{"fixed":"637399bf7e77797811adf340090b561a8f9d1213"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21921.json"}}],"schema_version":"1.7.5"}