CVE-2025-21970: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Bridge, fix the crash caused by LAG state check When removing LAG device from bridge, NETDEV_CHANGEUPPER event is triggered. Driver finds the lower devices (PFs) to flush all the offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns false if one of PF is unloaded. In such case, mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of the alive PF, and the flush is skipped. Besides, the bridge fdb entry's lastuse is updated in mlx5 bridge event handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be ignored in this case because the upper interface for bond is deleted, and the entry will never be aged because lastuse is never updated. To make things worse, as the entry is alive, mlx5 bridge workqueue keeps sending that event, which is then handled by kernel bridge notifier. It causes the following crash when accessing the passed bond netdev which is already destroyed. To fix this issue, remove such checks. LAG state is already checked in commit 15f8f168952f ("net/mlx5: Bridge, verify LAG state when adding bond to bridge"), driver still need to skip offload if LAG becomes invalid state after initialization. Oops: stack segment: 0000 [#1] SMP CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core] RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge] Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 <4c> 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7 RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297 RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0 RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60 R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x1a/0x60 ? die+0x38/0x60 ? do_trap+0x10b/0x120 ? do_error_trap+0x64/0xa0 ? exc_stack_segment+0x33/0x50 ? asm_exc_stack_segment+0x22/0x30 ? br_switchdev_event+0x2c/0x110 [bridge] ? sched_balance_newidle.isra.149+0x248/0x390 notifier_call_chain+0x4b/0xa0 atomic_notifier_call_chain+0x16/0x20 mlx5_esw_bridge_update+0xec/0x170 [mlx5_core] mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core] process_scheduled_works+0x81/0x390 worker_thread+0x106/0x250 ? bh_worker+0x110/0x110 kthread+0xb7/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 </TASK>
AI Analysis
Technical Summary
CVE-2025-21970 is a vulnerability identified in the Linux kernel's networking subsystem, specifically affecting the mlx5 driver used for Mellanox network devices implementing Link Aggregation Group (LAG) functionality in bridge configurations. The flaw arises during the removal of a LAG device from a bridge, which triggers a NETDEV_CHANGEUPPER event. The mlx5 driver attempts to flush offloaded forwarding database (FDB) entries associated with the physical functions (PFs) underlying the LAG. However, if one of the PFs is unloaded, the function mlx5_lag_is_shared_fdb returns false, leading mlx5_esw_bridge_lag_rep_get() and its caller to return NULL instead of a valid PF reference. Consequently, the flush operation is skipped, leaving stale FDB entries active. Additionally, the lastuse timestamp of the bridge FDB entry is updated in the mlx5 bridge event handler only when SWITCHDEV_FDB_ADD_TO_BRIDGE events occur. In this scenario, since the upper interface for the bond is deleted, this event is ignored, preventing the aging of the stale entry. The mlx5 bridge workqueue continues to send events for this stale entry, which are handled by the kernel bridge notifier. This results in a kernel crash due to access of a destroyed bond netdev structure, leading to a kernel oops and system instability. The root cause is improper handling of state checks and resource cleanup in the mlx5 driver during LAG device removal from bridges. The fix involves removing redundant checks and ensuring that offload operations are skipped if the LAG state becomes invalid after initialization. This vulnerability can cause denial of service (DoS) through kernel crashes on affected Linux systems running mlx5 drivers with bridge and LAG configurations. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The issue affects Linux kernel version 6.11.0_mlnx and potentially other versions using the affected mlx5 driver code paths.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to data centers, cloud providers, and enterprises relying on Linux servers with Mellanox network adapters configured with LAG and bridge functionalities. The vulnerability can cause kernel crashes leading to denial of service, impacting availability of critical network infrastructure and services. Organizations using high-performance computing clusters, virtualization hosts, or network appliances with mlx5-based NICs are particularly vulnerable. The inability to properly flush stale FDB entries can also lead to network traffic misrouting or stale forwarding states, potentially degrading network performance or causing intermittent connectivity issues. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting DoS can disrupt business operations, cause downtime, and increase operational costs. Given the widespread use of Linux in European IT environments and the popularity of Mellanox hardware in enterprise and cloud infrastructure, the impact could be broad if unpatched. Additionally, the complexity of the issue may delay detection and remediation, increasing exposure time. The lack of known exploits reduces immediate risk, but the potential for future exploitation remains, especially in targeted attacks against critical infrastructure.
Mitigation Recommendations
European organizations should take the following specific actions to mitigate this vulnerability: 1) Identify and inventory all Linux systems using Mellanox mlx5 network adapters, especially those configured with LAG and bridge functionalities. 2) Prioritize patching Linux kernel versions to include the fix for CVE-2025-21970 as soon as vendor patches or updated kernel releases are available. Engage with Linux distribution maintainers or Mellanox support channels to obtain timely updates. 3) In environments where immediate patching is not feasible, consider temporarily disabling LAG or bridge configurations involving mlx5 devices to prevent triggering the vulnerable code paths. 4) Monitor kernel logs and system stability metrics for signs of mlx5 bridge workqueue crashes or kernel oops events indicative of this issue. 5) Implement robust system and network monitoring to detect unexpected reboots or network disruptions that may signal exploitation attempts. 6) Review and test network configurations to ensure that bond and bridge interfaces are managed cleanly, avoiding scenarios where PFs are unloaded without proper cleanup. 7) Coordinate with hardware vendors to confirm firmware compatibility and support for patched drivers. 8) Document and rehearse incident response procedures for kernel-level DoS events to minimize downtime impact. These steps go beyond generic advice by focusing on the specific driver, hardware, and network configurations involved in this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Belgium, Italy, Spain
CVE-2025-21970: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Bridge, fix the crash caused by LAG state check When removing LAG device from bridge, NETDEV_CHANGEUPPER event is triggered. Driver finds the lower devices (PFs) to flush all the offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns false if one of PF is unloaded. In such case, mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of the alive PF, and the flush is skipped. Besides, the bridge fdb entry's lastuse is updated in mlx5 bridge event handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be ignored in this case because the upper interface for bond is deleted, and the entry will never be aged because lastuse is never updated. To make things worse, as the entry is alive, mlx5 bridge workqueue keeps sending that event, which is then handled by kernel bridge notifier. It causes the following crash when accessing the passed bond netdev which is already destroyed. To fix this issue, remove such checks. LAG state is already checked in commit 15f8f168952f ("net/mlx5: Bridge, verify LAG state when adding bond to bridge"), driver still need to skip offload if LAG becomes invalid state after initialization. Oops: stack segment: 0000 [#1] SMP CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core] RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge] Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 <4c> 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7 RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297 RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0 RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60 R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x1a/0x60 ? die+0x38/0x60 ? do_trap+0x10b/0x120 ? do_error_trap+0x64/0xa0 ? exc_stack_segment+0x33/0x50 ? asm_exc_stack_segment+0x22/0x30 ? br_switchdev_event+0x2c/0x110 [bridge] ? sched_balance_newidle.isra.149+0x248/0x390 notifier_call_chain+0x4b/0xa0 atomic_notifier_call_chain+0x16/0x20 mlx5_esw_bridge_update+0xec/0x170 [mlx5_core] mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core] process_scheduled_works+0x81/0x390 worker_thread+0x106/0x250 ? bh_worker+0x110/0x110 kthread+0xb7/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2025-21970 is a vulnerability identified in the Linux kernel's networking subsystem, specifically affecting the mlx5 driver used for Mellanox network devices implementing Link Aggregation Group (LAG) functionality in bridge configurations. The flaw arises during the removal of a LAG device from a bridge, which triggers a NETDEV_CHANGEUPPER event. The mlx5 driver attempts to flush offloaded forwarding database (FDB) entries associated with the physical functions (PFs) underlying the LAG. However, if one of the PFs is unloaded, the function mlx5_lag_is_shared_fdb returns false, leading mlx5_esw_bridge_lag_rep_get() and its caller to return NULL instead of a valid PF reference. Consequently, the flush operation is skipped, leaving stale FDB entries active. Additionally, the lastuse timestamp of the bridge FDB entry is updated in the mlx5 bridge event handler only when SWITCHDEV_FDB_ADD_TO_BRIDGE events occur. In this scenario, since the upper interface for the bond is deleted, this event is ignored, preventing the aging of the stale entry. The mlx5 bridge workqueue continues to send events for this stale entry, which are handled by the kernel bridge notifier. This results in a kernel crash due to access of a destroyed bond netdev structure, leading to a kernel oops and system instability. The root cause is improper handling of state checks and resource cleanup in the mlx5 driver during LAG device removal from bridges. The fix involves removing redundant checks and ensuring that offload operations are skipped if the LAG state becomes invalid after initialization. This vulnerability can cause denial of service (DoS) through kernel crashes on affected Linux systems running mlx5 drivers with bridge and LAG configurations. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The issue affects Linux kernel version 6.11.0_mlnx and potentially other versions using the affected mlx5 driver code paths.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to data centers, cloud providers, and enterprises relying on Linux servers with Mellanox network adapters configured with LAG and bridge functionalities. The vulnerability can cause kernel crashes leading to denial of service, impacting availability of critical network infrastructure and services. Organizations using high-performance computing clusters, virtualization hosts, or network appliances with mlx5-based NICs are particularly vulnerable. The inability to properly flush stale FDB entries can also lead to network traffic misrouting or stale forwarding states, potentially degrading network performance or causing intermittent connectivity issues. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting DoS can disrupt business operations, cause downtime, and increase operational costs. Given the widespread use of Linux in European IT environments and the popularity of Mellanox hardware in enterprise and cloud infrastructure, the impact could be broad if unpatched. Additionally, the complexity of the issue may delay detection and remediation, increasing exposure time. The lack of known exploits reduces immediate risk, but the potential for future exploitation remains, especially in targeted attacks against critical infrastructure.
Mitigation Recommendations
European organizations should take the following specific actions to mitigate this vulnerability: 1) Identify and inventory all Linux systems using Mellanox mlx5 network adapters, especially those configured with LAG and bridge functionalities. 2) Prioritize patching Linux kernel versions to include the fix for CVE-2025-21970 as soon as vendor patches or updated kernel releases are available. Engage with Linux distribution maintainers or Mellanox support channels to obtain timely updates. 3) In environments where immediate patching is not feasible, consider temporarily disabling LAG or bridge configurations involving mlx5 devices to prevent triggering the vulnerable code paths. 4) Monitor kernel logs and system stability metrics for signs of mlx5 bridge workqueue crashes or kernel oops events indicative of this issue. 5) Implement robust system and network monitoring to detect unexpected reboots or network disruptions that may signal exploitation attempts. 6) Review and test network configurations to ensure that bond and bridge interfaces are managed cleanly, avoiding scenarios where PFs are unloaded without proper cleanup. 7) Coordinate with hardware vendors to confirm firmware compatibility and support for patched drivers. 8) Document and rehearse incident response procedures for kernel-level DoS events to minimize downtime impact. These steps go beyond generic advice by focusing on the specific driver, hardware, and network configurations involved in this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.797Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8db6
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 11:25:12 AM
Last updated: 8/1/2025, 5:20:21 PM
Views: 10
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.