What is the CVSS score of CVE-2025-21682?

CVE-2025-21682 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Linux Kernel are affected by CVE-2025-21682?

CVE-2025-21682 presents moderate security risk, a null pointer dereference vulnerability rated CVSS 5.5. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2025-21682?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Linux Kernel CVE-2025-21682

MEDIUM

NULL Pointer Dereference (CWE-476)

2025-01-31 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Denial Of Service Linux Null Pointer Dereference Broadcom Linux Kernel

5.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 25, 2026 - 11:22 vuln.today

Patch released

Mar 25, 2026 - 11:22 nvd

Patch available

CVE Published

Jan 31, 2025 - 12:15 nvd

MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

eth: bnxt: always recalculate features after XDP clearing, fix null-deref

Recalculate features when XDP is detached.

Before:

ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp

ip li set dev eth0 xdp off

ethtool -k eth0 | grep gro

rx-gro-hw: off [requested on]

After:

ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp

ip li set dev eth0 xdp off

ethtool -k eth0 | grep gro

rx-gro-hw: on

The fact that HW-GRO doesn't get re-enabled automatically is just a minor annoyance. The real issue is that the features will randomly come back during another reconfiguration which just happens to invoke netdev_update_features(). The driver doesn't handle reconfiguring two things at a time very robustly.

Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") we only reconfigure the RSS hash table if the "effective" number of Rx rings has changed. If HW-GRO is enabled "effective" number of rings is 2x what user sees. So if we are in the bad state, with HW-GRO re-enablement "pending" after XDP off, and we lower the rings by / 2 - the HW-GRO rings doing 2x and the ethtool -L doing / 2 may cancel each other out, and the:

if (old_rx_rings != bp->hw_resc.resv_rx_rings &&

condition in __bnxt_reserve_rings() will be false. The RSS map won't get updated, and we'll crash with:

BUG: kernel NULL pointer dereference, address: 0000000000000168 RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0 bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180 __bnxt_setup_vnic_p5+0x58/0x110 bnxt_init_nic+0xb72/0xf50 __bnxt_open_nic+0x40d/0xab0 bnxt_open_nic+0x2b/0x60 ethtool_set_channels+0x18c/0x1d0

As we try to access a freed ring.

The issue is present since XDP support was added, really, but prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") it wasn't causing major issues.

AnalysisAI

Linux kernel bnxt ethernet driver fails to recalculate network features after XDP program detachment, causing null pointer dereference and kernel crash when ring configurations are subsequently modified. The vulnerability affects Linux kernel 6.13-rc1 through 6.13-rc7 and potentially earlier versions; local authenticated users can trigger denial of service via ethtool channel reconfiguration following XDP off commands. EPSS exploitation probability is extremely low at 0.01th percentile, and no public exploit code has been identified.

Technical ContextAI

The Broadcom NetXtreme bnxt driver (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*) implements hardware offload features including GRO (Generic Receive Offload) and XDP (eXpress Data Path) support. The vulnerability manifests as CWE-476 (Null Pointer Dereference) in the __bnxt_hwrm_vnic_set_rss() function when the driver attempts to access freed ring structures. The root cause originates from commit 98ba1d931f61 which optimized RSS hash table reconfiguration by comparing effective ring counts; when HW-GRO is pending re-enablement after XDP detachment, the effective ring calculation (2x when GRO enabled, 1x when disabled) can mathematically cancel out an ethtool -L ring reduction, preventing the necessary RSS map update and leaving stale pointers to deallocated memory.

RemediationAI

Upgrade to patched kernel versions incorporating fixes referenced in kernel commit 076a694a42ae3f0466bc6e4126050eeb7b7d299a, 08831a894d18abfaabb5bbde7c2069a7fb41dd93, 90336fc3d6f5e716ac39a9ddbbde453e23a5aa65, or f0aa6a37a3dbb40b272df5fc6db93c114688adcd. For SUSE systems, apply updates from advisories SUSE-SU-2025:0428 or later. Until kernel update is available, avoid XDP program attachment/detachment cycles immediately followed by ethtool ring count modifications on systems with Broadcom bnxt adapters. Network administrators should defer network feature tuning operations when XDP programs are actively managed. The upstream fix ensures feature recalculation always occurs after XDP detachment, preventing the stale RSS state condition.