CVE-2025-37911: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix out-of-bound memcpy() during ethtool -w When retrieving the FW coredump using ethtool, it can sometimes cause memory corruption: BUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] Corrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfence-#45): __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] ethtool_get_dump_data+0xdc/0x1a0 __dev_ethtool+0xa1e/0x1af0 dev_ethtool+0xa8/0x170 dev_ioctl+0x1b5/0x580 sock_do_ioctl+0xab/0xf0 sock_ioctl+0x1ce/0x2e0 __x64_sys_ioctl+0x87/0xc0 do_syscall_64+0x5c/0xf0 entry_SYSCALL_64_after_hwframe+0x78/0x80 ... This happens when copying the coredump segment list in bnxt_hwrm_dbg_dma_data() with the HWRM_DBG_COREDUMP_LIST FW command. The info->dest_buf buffer is allocated based on the number of coredump segments returned by the FW. The segment list is then DMA'ed by the FW and the length of the DMA is returned by FW. The driver then copies this DMA'ed segment list to info->dest_buf. In some cases, this DMA length may exceed the info->dest_buf length and cause the above BUG condition. Fix it by capping the copy length to not exceed the length of info->dest_buf. The extra DMA data contains no useful information. This code path is shared for the HWRM_DBG_COREDUMP_LIST and the HWRM_DBG_COREDUMP_RETRIEVE FW commands. The buffering is different for these 2 FW commands. To simplify the logic, we need to move the line to adjust the buffer length for HWRM_DBG_COREDUMP_RETRIEVE up, so that the new check to cap the copy length will work for both commands.
AI Analysis
Technical Summary
CVE-2025-37911 is a vulnerability identified in the Linux kernel's bnxt_en network driver, specifically related to the handling of firmware (FW) coredumps via the ethtool utility. The issue arises during the retrieval of FW coredumps using the ethtool -w command, where an out-of-bounds memcpy operation can occur. This vulnerability is caused by improper handling of the length of DMA'ed segment lists returned by the firmware. The bnxt_en driver allocates a buffer (info->dest_buf) based on the number of coredump segments reported by the firmware. However, the actual length of the DMA data returned by the firmware can exceed this allocated buffer size. When the driver copies the DMA'ed segment list into the buffer without properly capping the copy length, it results in memory corruption, as detected by the Kernel Electric Fence (KFENCE) debugging tool. The root cause lies in the discrepancy between the buffer size and the DMA length, which can lead to an out-of-bounds write. The vulnerability affects the code paths handling two firmware commands: HWRM_DBG_COREDUMP_LIST and HWRM_DBG_COREDUMP_RETRIEVE. The fix involves adjusting the buffer length for the HWRM_DBG_COREDUMP_RETRIEVE command earlier in the logic and capping the memcpy length to the buffer size, preventing overflow. This vulnerability is specific to certain Linux kernel versions containing the affected bnxt_en driver code. No known exploits are reported in the wild as of the publication date. The vulnerability does not require user interaction but does require access to ethtool commands, which typically need elevated privileges.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with the Broadcom NetXtreme-E (bnxt_en) network driver. The impact includes potential kernel memory corruption, which can lead to system instability, crashes (kernel panics), or denial of service (DoS). In worst-case scenarios, memory corruption vulnerabilities can be leveraged to execute arbitrary code in kernel context, potentially allowing privilege escalation or unauthorized control over the affected system. Given that many European enterprises, cloud providers, and critical infrastructure operators rely on Linux servers and network equipment using Broadcom NICs, exploitation could disrupt business operations, degrade service availability, or compromise sensitive data confidentiality and integrity. The vulnerability is exploitable locally by users with access to ethtool commands, which generally requires administrative or root privileges, limiting remote exploitation but increasing risk from insider threats or compromised accounts. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. Systems involved in telecommunications, finance, government, and industrial control in Europe, which often use Linux-based infrastructure with Broadcom NICs, are particularly sensitive to such kernel-level vulnerabilities.
Mitigation Recommendations
European organizations should take the following specific actions to mitigate CVE-2025-37911: 1) Identify and inventory all Linux systems using the bnxt_en driver, especially those with Broadcom NetXtreme-E network cards. 2) Apply the official Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distributions. 3) If immediate patching is not feasible, restrict access to ethtool commands to trusted administrators only, minimizing the risk of local exploitation. 4) Monitor system logs and kernel messages for signs of memory corruption or abnormal behavior related to ethtool operations. 5) Implement strict privilege management and auditing to detect and prevent unauthorized use of ethtool or similar utilities. 6) Consider network segmentation and isolation of critical Linux servers to reduce exposure. 7) Engage with hardware and Linux distribution vendors for updated firmware and kernel releases that incorporate the fix. 8) Conduct regular vulnerability assessments and penetration testing focusing on kernel-level vulnerabilities and local privilege escalation vectors. These measures go beyond generic advice by emphasizing targeted identification of affected hardware, controlled access to vulnerable utilities, and proactive monitoring for exploitation indicators.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-37911: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix out-of-bound memcpy() during ethtool -w When retrieving the FW coredump using ethtool, it can sometimes cause memory corruption: BUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] Corrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfence-#45): __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] ethtool_get_dump_data+0xdc/0x1a0 __dev_ethtool+0xa1e/0x1af0 dev_ethtool+0xa8/0x170 dev_ioctl+0x1b5/0x580 sock_do_ioctl+0xab/0xf0 sock_ioctl+0x1ce/0x2e0 __x64_sys_ioctl+0x87/0xc0 do_syscall_64+0x5c/0xf0 entry_SYSCALL_64_after_hwframe+0x78/0x80 ... This happens when copying the coredump segment list in bnxt_hwrm_dbg_dma_data() with the HWRM_DBG_COREDUMP_LIST FW command. The info->dest_buf buffer is allocated based on the number of coredump segments returned by the FW. The segment list is then DMA'ed by the FW and the length of the DMA is returned by FW. The driver then copies this DMA'ed segment list to info->dest_buf. In some cases, this DMA length may exceed the info->dest_buf length and cause the above BUG condition. Fix it by capping the copy length to not exceed the length of info->dest_buf. The extra DMA data contains no useful information. This code path is shared for the HWRM_DBG_COREDUMP_LIST and the HWRM_DBG_COREDUMP_RETRIEVE FW commands. The buffering is different for these 2 FW commands. To simplify the logic, we need to move the line to adjust the buffer length for HWRM_DBG_COREDUMP_RETRIEVE up, so that the new check to cap the copy length will work for both commands.
AI-Powered Analysis
Technical Analysis
CVE-2025-37911 is a vulnerability identified in the Linux kernel's bnxt_en network driver, specifically related to the handling of firmware (FW) coredumps via the ethtool utility. The issue arises during the retrieval of FW coredumps using the ethtool -w command, where an out-of-bounds memcpy operation can occur. This vulnerability is caused by improper handling of the length of DMA'ed segment lists returned by the firmware. The bnxt_en driver allocates a buffer (info->dest_buf) based on the number of coredump segments reported by the firmware. However, the actual length of the DMA data returned by the firmware can exceed this allocated buffer size. When the driver copies the DMA'ed segment list into the buffer without properly capping the copy length, it results in memory corruption, as detected by the Kernel Electric Fence (KFENCE) debugging tool. The root cause lies in the discrepancy between the buffer size and the DMA length, which can lead to an out-of-bounds write. The vulnerability affects the code paths handling two firmware commands: HWRM_DBG_COREDUMP_LIST and HWRM_DBG_COREDUMP_RETRIEVE. The fix involves adjusting the buffer length for the HWRM_DBG_COREDUMP_RETRIEVE command earlier in the logic and capping the memcpy length to the buffer size, preventing overflow. This vulnerability is specific to certain Linux kernel versions containing the affected bnxt_en driver code. No known exploits are reported in the wild as of the publication date. The vulnerability does not require user interaction but does require access to ethtool commands, which typically need elevated privileges.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with the Broadcom NetXtreme-E (bnxt_en) network driver. The impact includes potential kernel memory corruption, which can lead to system instability, crashes (kernel panics), or denial of service (DoS). In worst-case scenarios, memory corruption vulnerabilities can be leveraged to execute arbitrary code in kernel context, potentially allowing privilege escalation or unauthorized control over the affected system. Given that many European enterprises, cloud providers, and critical infrastructure operators rely on Linux servers and network equipment using Broadcom NICs, exploitation could disrupt business operations, degrade service availability, or compromise sensitive data confidentiality and integrity. The vulnerability is exploitable locally by users with access to ethtool commands, which generally requires administrative or root privileges, limiting remote exploitation but increasing risk from insider threats or compromised accounts. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. Systems involved in telecommunications, finance, government, and industrial control in Europe, which often use Linux-based infrastructure with Broadcom NICs, are particularly sensitive to such kernel-level vulnerabilities.
Mitigation Recommendations
European organizations should take the following specific actions to mitigate CVE-2025-37911: 1) Identify and inventory all Linux systems using the bnxt_en driver, especially those with Broadcom NetXtreme-E network cards. 2) Apply the official Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distributions. 3) If immediate patching is not feasible, restrict access to ethtool commands to trusted administrators only, minimizing the risk of local exploitation. 4) Monitor system logs and kernel messages for signs of memory corruption or abnormal behavior related to ethtool operations. 5) Implement strict privilege management and auditing to detect and prevent unauthorized use of ethtool or similar utilities. 6) Consider network segmentation and isolation of critical Linux servers to reduce exposure. 7) Engage with hardware and Linux distribution vendors for updated firmware and kernel releases that incorporate the fix. 8) Conduct regular vulnerability assessments and penetration testing focusing on kernel-level vulnerabilities and local privilege escalation vectors. These measures go beyond generic advice by emphasizing targeted identification of affected hardware, controlled access to vulnerable utilities, and proactive monitoring for exploitation indicators.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.967Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeaf62
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/4/2025, 1:26:49 AM
Last updated: 8/18/2025, 11:32:57 PM
Views: 26
Related Threats
CVE-2025-9156: SQL Injection in itsourcecode Sports Management System
MediumCVE-2025-9155: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-43744: CWE-79: Cross-site Scripting in Liferay Portal
MediumCVE-2025-52337: n/a
HighCVE-2025-2988: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere in IBM Sterling B2B Integrator
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.