CVE-2025-21682

MEDIUM
2025-01-31 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 11:22 vuln.today
Patch Released
Mar 25, 2026 - 11:22 nvd
Patch available
CVE Published
Jan 31, 2025 - 12:15 nvd
MEDIUM 5.5

Tags

Linux Linux Kernel Broadcom Denial Of Service Null Pointer Dereference

Description

In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: always recalculate features after XDP clearing, fix null-deref Recalculate features when XDP is detached. Before: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: off [requested on] After: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: on The fact that HW-GRO doesn't get re-enabled automatically is just a minor annoyance. The real issue is that the features will randomly come back during another reconfiguration which just happens to invoke netdev_update_features(). The driver doesn't handle reconfiguring two things at a time very robustly. Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") we only reconfigure the RSS hash table if the "effective" number of Rx rings has changed. If HW-GRO is enabled "effective" number of rings is 2x what user sees. So if we are in the bad state, with HW-GRO re-enablement "pending" after XDP off, and we lower the rings by / 2 - the HW-GRO rings doing 2x and the ethtool -L doing / 2 may cancel each other out, and the: if (old_rx_rings != bp->hw_resc.resv_rx_rings && condition in __bnxt_reserve_rings() will be false. The RSS map won't get updated, and we'll crash with: BUG: kernel NULL pointer dereference, address: 0000000000000168 RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0 bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180 __bnxt_setup_vnic_p5+0x58/0x110 bnxt_init_nic+0xb72/0xf50 __bnxt_open_nic+0x40d/0xab0 bnxt_open_nic+0x2b/0x60 ethtool_set_channels+0x18c/0x1d0 As we try to access a freed ring. The issue is present since XDP support was added, really, but prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") it wasn't causing major issues.

Analysis

Linux kernel bnxt ethernet driver fails to recalculate network features after XDP program detachment, causing null pointer dereference and kernel crash when ring configurations are subsequently modified. The vulnerability affects Linux kernel 6.13-rc1 through 6.13-rc7 and potentially earlier versions; local authenticated users can trigger denial of service via ethtool channel reconfiguration following XDP off commands. EPSS exploitation probability is extremely low at 0.01th percentile, and no public exploit code has been identified.

Technical Context

The Broadcom NetXtreme bnxt driver (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*) implements hardware offload features including GRO (Generic Receive Offload) and XDP (eXpress Data Path) support. The vulnerability manifests as CWE-476 (Null Pointer Dereference) in the __bnxt_hwrm_vnic_set_rss() function when the driver attempts to access freed ring structures. The root cause originates from commit 98ba1d931f61 which optimized RSS hash table reconfiguration by comparing effective ring counts; when HW-GRO is pending re-enablement after XDP detachment, the effective ring calculation (2x when GRO enabled, 1x when disabled) can mathematically cancel out an ethtool -L ring reduction, preventing the necessary RSS map update and leaving stale pointers to deallocated memory.

Affected Products

Linux kernel versions 6.13-rc1 through 6.13-rc7 are explicitly confirmed affected per CVE data. The vulnerability also affects earlier kernel versions containing the bnxt XDP code (present since XDP support was added) through commit 98ba1d931f61, though exact version boundaries are not specified in available data. All systems running affected kernels with Broadcom NetXtreme bnxt ethernet adapters are technically vulnerable, though exploitation requires local authenticated access and specific network feature reconfiguration. Multiple stable distributions have issued patches (SUSE-SU-2025:0428, 0499, 0557, 0564, 0565, and 20x series advisories) indicating kernel stable trees have incorporated fixes.

Remediation

Upgrade to patched kernel versions incorporating fixes referenced in kernel commit 076a694a42ae3f0466bc6e4126050eeb7b7d299a, 08831a894d18abfaabb5bbde7c2069a7fb41dd93, 90336fc3d6f5e716ac39a9ddbbde453e23a5aa65, or f0aa6a37a3dbb40b272df5fc6db93c114688adcd. For SUSE systems, apply updates from advisories SUSE-SU-2025:0428 or later. Until kernel update is available, avoid XDP program attachment/detachment cycles immediately followed by ethtool ring count modifications on systems with Broadcom bnxt adapters. Network administrators should defer network feature tuning operations when XDP programs are actively managed. The upstream fix ensures feature recalculation always occurs after XDP detachment, preventing the stale RSS state condition.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Vendor Status

Share

CVE-2025-21682 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy