CVE-2025-21961: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix truesize for mb-xdp-pass case When mb-xdp is set and return is XDP_PASS, packet is converted from xdp_buff to sk_buff with xdp_update_skb_shared_info() in bnxt_xdp_build_skb(). bnxt_xdp_build_skb() passes incorrect truesize argument to xdp_update_skb_shared_info(). The truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo->nr_frags but the skb_shared_info was wiped by napi_build_skb() before. So it stores sinfo->nr_frags before bnxt_xdp_build_skb() and use it instead of getting skb_shared_info from xdp_get_shared_info_from_buff(). Splat looks like: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590 Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3 RIP: 0010:skb_try_coalesce+0x504/0x590 Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff <0f> 0b e99 RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287 RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0 RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003 RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900 R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740 R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? __warn+0x84/0x130 ? skb_try_coalesce+0x504/0x590 ? report_bug+0x18a/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? skb_try_coalesce+0x504/0x590 inet_frag_reasm_finish+0x11f/0x2e0 ip_defrag+0x37a/0x900 ip_local_deliver+0x51/0x120 ip_sublist_rcv_finish+0x64/0x70 ip_sublist_rcv+0x179/0x210 ip_list_rcv+0xf9/0x130 How to reproduce: <Node A> ip link set $interface1 xdp obj xdp_pass.o ip link set $interface1 mtu 9000 up ip a a 10.0.0.1/24 dev $interface1 <Node B> ip link set $interfac2 mtu 9000 up ip a a 10.0.0.2/24 dev $interface2 ping 10.0.0.1 -s 65000 Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be able to reproduce this issue.
AI Analysis
Technical Summary
CVE-2025-21961 is a vulnerability identified in the Linux kernel's networking subsystem, specifically related to the Broadcom NetXtreme (bnxt) driver handling of XDP (eXpress Data Path) buffers. The issue arises when the mbuf-based XDP (mb-xdp) is set and the packet processing returns XDP_PASS, which triggers a conversion from xdp_buff to sk_buff using the function xdp_update_skb_shared_info() within bnxt_xdp_build_skb(). The vulnerability is due to bnxt_xdp_build_skb() passing an incorrect truesize argument to xdp_update_skb_shared_info(). The truesize is calculated as BNXT_RX_PAGE_SIZE multiplied by sinfo->nr_frags, but the skb_shared_info structure is wiped by napi_build_skb() beforehand. To work around this, the code stores sinfo->nr_frags before calling bnxt_xdp_build_skb() and uses this stored value instead of retrieving skb_shared_info from xdp_get_shared_info_from_buff(). This incorrect handling leads to memory corruption, as evidenced by kernel warnings and a crash (splat) occurring in skb_try_coalesce(), a function responsible for coalescing socket buffers. The crash trace shows invalid operations and warnings indicating a kernel panic scenario. The vulnerability can be reproduced by configuring network interfaces with XDP programs that return XDP_PASS, setting MTU to 9000, and sending large ping packets (size 65000) to trigger the faulty code path. This bug affects Linux kernel versions around 6.14.0-rc2+ and involves low-level packet processing in the bnxt driver, which is used in Broadcom network adapters. The flaw can lead to kernel crashes (denial of service) and potentially memory corruption that could be exploited for privilege escalation or arbitrary code execution, though no known exploits are reported yet. The vulnerability is technical and specific to environments using the affected bnxt driver with XDP enabled and high MTU settings.
Potential Impact
For European organizations, the impact of CVE-2025-21961 can be significant, especially for data centers, cloud providers, and enterprises relying on Linux servers with Broadcom NetXtreme network adapters. The vulnerability can cause kernel crashes leading to denial of service (DoS), disrupting critical network services and applications. In high-availability environments, such as financial institutions, telecommunications, and public sector infrastructure, unexpected downtime can result in operational disruptions and financial losses. Furthermore, if exploited beyond DoS, memory corruption could allow attackers to escalate privileges or execute arbitrary code within the kernel, compromising confidentiality and integrity of sensitive data. Organizations running containerized workloads or network functions using XDP for performance optimization are particularly at risk. The lack of a known exploit in the wild reduces immediate threat but does not eliminate risk, as attackers may develop exploits over time. The complexity of the vulnerability means that only skilled attackers with network access and knowledge of XDP internals could exploit it, but the potential impact on availability and security posture is high.
Mitigation Recommendations
To mitigate CVE-2025-21961, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, particularly updating to kernel versions beyond 6.14.0-rc2+ where the fix is included. 2) Temporarily disable XDP programs on bnxt interfaces or avoid using the mb-xdp-pass mode until patches are applied, especially in production environments. 3) Limit MTU sizes to standard values (e.g., 1500) if jumbo frames are not essential, as the issue is reproducible with MTU 9000. 4) Monitor kernel logs for warnings related to skb_try_coalesce or other network stack anomalies that may indicate attempts to trigger this bug. 5) Conduct network segmentation and restrict access to systems running vulnerable kernels and bnxt drivers to trusted users and networks to reduce attack surface. 6) Employ kernel live patching solutions where possible to minimize downtime during patch deployment. 7) Engage with hardware vendors and Linux distribution maintainers to ensure timely updates and guidance. 8) Test patches in staging environments to verify stability and compatibility with existing XDP programs and network configurations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2025-21961: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix truesize for mb-xdp-pass case When mb-xdp is set and return is XDP_PASS, packet is converted from xdp_buff to sk_buff with xdp_update_skb_shared_info() in bnxt_xdp_build_skb(). bnxt_xdp_build_skb() passes incorrect truesize argument to xdp_update_skb_shared_info(). The truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo->nr_frags but the skb_shared_info was wiped by napi_build_skb() before. So it stores sinfo->nr_frags before bnxt_xdp_build_skb() and use it instead of getting skb_shared_info from xdp_get_shared_info_from_buff(). Splat looks like: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590 Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3 RIP: 0010:skb_try_coalesce+0x504/0x590 Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff <0f> 0b e99 RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287 RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0 RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003 RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900 R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740 R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? __warn+0x84/0x130 ? skb_try_coalesce+0x504/0x590 ? report_bug+0x18a/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? skb_try_coalesce+0x504/0x590 inet_frag_reasm_finish+0x11f/0x2e0 ip_defrag+0x37a/0x900 ip_local_deliver+0x51/0x120 ip_sublist_rcv_finish+0x64/0x70 ip_sublist_rcv+0x179/0x210 ip_list_rcv+0xf9/0x130 How to reproduce: <Node A> ip link set $interface1 xdp obj xdp_pass.o ip link set $interface1 mtu 9000 up ip a a 10.0.0.1/24 dev $interface1 <Node B> ip link set $interfac2 mtu 9000 up ip a a 10.0.0.2/24 dev $interface2 ping 10.0.0.1 -s 65000 Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be able to reproduce this issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-21961 is a vulnerability identified in the Linux kernel's networking subsystem, specifically related to the Broadcom NetXtreme (bnxt) driver handling of XDP (eXpress Data Path) buffers. The issue arises when the mbuf-based XDP (mb-xdp) is set and the packet processing returns XDP_PASS, which triggers a conversion from xdp_buff to sk_buff using the function xdp_update_skb_shared_info() within bnxt_xdp_build_skb(). The vulnerability is due to bnxt_xdp_build_skb() passing an incorrect truesize argument to xdp_update_skb_shared_info(). The truesize is calculated as BNXT_RX_PAGE_SIZE multiplied by sinfo->nr_frags, but the skb_shared_info structure is wiped by napi_build_skb() beforehand. To work around this, the code stores sinfo->nr_frags before calling bnxt_xdp_build_skb() and uses this stored value instead of retrieving skb_shared_info from xdp_get_shared_info_from_buff(). This incorrect handling leads to memory corruption, as evidenced by kernel warnings and a crash (splat) occurring in skb_try_coalesce(), a function responsible for coalescing socket buffers. The crash trace shows invalid operations and warnings indicating a kernel panic scenario. The vulnerability can be reproduced by configuring network interfaces with XDP programs that return XDP_PASS, setting MTU to 9000, and sending large ping packets (size 65000) to trigger the faulty code path. This bug affects Linux kernel versions around 6.14.0-rc2+ and involves low-level packet processing in the bnxt driver, which is used in Broadcom network adapters. The flaw can lead to kernel crashes (denial of service) and potentially memory corruption that could be exploited for privilege escalation or arbitrary code execution, though no known exploits are reported yet. The vulnerability is technical and specific to environments using the affected bnxt driver with XDP enabled and high MTU settings.
Potential Impact
For European organizations, the impact of CVE-2025-21961 can be significant, especially for data centers, cloud providers, and enterprises relying on Linux servers with Broadcom NetXtreme network adapters. The vulnerability can cause kernel crashes leading to denial of service (DoS), disrupting critical network services and applications. In high-availability environments, such as financial institutions, telecommunications, and public sector infrastructure, unexpected downtime can result in operational disruptions and financial losses. Furthermore, if exploited beyond DoS, memory corruption could allow attackers to escalate privileges or execute arbitrary code within the kernel, compromising confidentiality and integrity of sensitive data. Organizations running containerized workloads or network functions using XDP for performance optimization are particularly at risk. The lack of a known exploit in the wild reduces immediate threat but does not eliminate risk, as attackers may develop exploits over time. The complexity of the vulnerability means that only skilled attackers with network access and knowledge of XDP internals could exploit it, but the potential impact on availability and security posture is high.
Mitigation Recommendations
To mitigate CVE-2025-21961, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, particularly updating to kernel versions beyond 6.14.0-rc2+ where the fix is included. 2) Temporarily disable XDP programs on bnxt interfaces or avoid using the mb-xdp-pass mode until patches are applied, especially in production environments. 3) Limit MTU sizes to standard values (e.g., 1500) if jumbo frames are not essential, as the issue is reproducible with MTU 9000. 4) Monitor kernel logs for warnings related to skb_try_coalesce or other network stack anomalies that may indicate attempts to trigger this bug. 5) Conduct network segmentation and restrict access to systems running vulnerable kernels and bnxt drivers to trusted users and networks to reduce attack surface. 6) Employ kernel live patching solutions where possible to minimize downtime during patch deployment. 7) Engage with hardware vendors and Linux distribution maintainers to ensure timely updates and guidance. 8) Test patches in staging environments to verify stability and compatibility with existing XDP programs and network configurations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.795Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8d42
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 11:12:27 AM
Last updated: 7/31/2025, 11:21:41 PM
Views: 12
Related Threats
CVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57702: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57701: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.