CVE-2025-37921: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: vxlan: vnifilter: Fix unlocked deletion of default FDB entry When a VNI is deleted from a VXLAN device in 'vnifilter' mode, the FDB entry associated with the default remote (assuming one was configured) is deleted without holding the hash lock. This is wrong and will result in a warning [1] being generated by the lockdep annotation that was added by commit ebe642067455 ("vxlan: Create wrappers for FDB lookup"). Reproducer: # ip link add vx0 up type vxlan dstport 4789 external vnifilter local 192.0.2.1 # bridge vni add vni 10010 remote 198.51.100.1 dev vx0 # bridge vni del vni 10010 dev vx0 Fix by acquiring the hash lock before the deletion and releasing it afterwards. Blame the original commit that introduced the issue rather than the one that exposed it. [1] WARNING: CPU: 3 PID: 392 at drivers/net/vxlan/vxlan_core.c:417 vxlan_find_mac+0x17f/0x1a0 [...] RIP: 0010:vxlan_find_mac+0x17f/0x1a0 [...] Call Trace: <TASK> __vxlan_fdb_delete+0xbe/0x560 vxlan_vni_delete_group+0x2ba/0x940 vxlan_vni_del.isra.0+0x15f/0x580 vxlan_process_vni_filter+0x38b/0x7b0 vxlan_vnifilter_process+0x3bb/0x510 rtnetlink_rcv_msg+0x2f7/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53
AI Analysis
Technical Summary
CVE-2025-37921 is a vulnerability identified in the Linux kernel's VXLAN (Virtual Extensible LAN) implementation, specifically within the 'vnifilter' mode of VXLAN devices. VXLAN is a network virtualization technology widely used to encapsulate Layer 2 Ethernet frames within Layer 3 UDP packets, enabling scalable network segmentation in cloud and data center environments. The vulnerability arises when a Virtual Network Identifier (VNI) is deleted from a VXLAN device operating in vnifilter mode. During this deletion process, the Forwarding Database (FDB) entry associated with the default remote endpoint is removed without properly acquiring the necessary hash lock. This improper locking leads to a race condition and triggers warnings from the kernel's lock dependency checker (lockdep), indicating potential concurrency issues. The root cause is the unlocked deletion of the default FDB entry, which violates synchronization requirements in the kernel's networking code. The issue was introduced by a prior commit that created wrappers for FDB lookup but failed to ensure locking during deletion. The vulnerability is reproducible using specific ip and bridge commands that add and then delete a VNI on a VXLAN device configured with vnifilter mode. Although the vulnerability does not appear to cause immediate crashes or memory corruption, the lack of proper locking can lead to inconsistent FDB state, kernel warnings, and potentially undefined behavior under concurrent operations. The fix involves acquiring the appropriate hash lock before deleting the FDB entry and releasing it afterward, ensuring thread-safe manipulation of the FDB. This vulnerability affects Linux kernel versions containing the specified commit hashes prior to the fix and is relevant to environments utilizing VXLAN with vnifilter mode, which is common in advanced network virtualization setups.
Potential Impact
For European organizations, the impact of CVE-2025-37921 depends largely on their use of Linux-based infrastructure employing VXLAN with vnifilter mode. Many enterprises and cloud providers in Europe rely on Linux servers for network virtualization and container orchestration platforms such as Kubernetes, which may leverage VXLAN for overlay networking. Improper locking in the FDB deletion process could lead to kernel warnings and potential instability in network virtualization components, possibly causing intermittent network disruptions or degraded performance. While no direct exploit or remote code execution is indicated, the vulnerability could be leveraged as part of a broader attack chain to destabilize network services or cause denial of service in critical infrastructure. This is particularly concerning for sectors with high reliance on virtualized networks, such as telecommunications, finance, and cloud service providers. Additionally, the presence of kernel warnings and race conditions complicates troubleshooting and may increase operational risk. Given the foundational role of Linux in European IT infrastructure, unpatched systems could face reliability issues impacting business continuity and service availability.
Mitigation Recommendations
To mitigate CVE-2025-37921, European organizations should prioritize updating their Linux kernels to versions where this vulnerability has been patched. Since the issue stems from improper locking in the VXLAN vnifilter code, applying the official kernel patches that acquire the hash lock before FDB deletion is essential. Organizations should: 1) Identify all systems running Linux kernels with VXLAN vnifilter enabled, especially those using the affected commit versions. 2) Test and deploy updated kernel versions from trusted Linux distributions that include the fix. 3) If immediate patching is not feasible, consider disabling vnifilter mode on VXLAN devices as a temporary workaround to avoid triggering the vulnerability. 4) Monitor kernel logs for lockdep warnings related to vxlan_find_mac and FDB deletions to detect potential exploitation or instability. 5) Implement robust change management and network configuration auditing to ensure VXLAN configurations follow best practices and minimize exposure. 6) Engage with Linux distribution vendors and security mailing lists to stay informed about updates and any emerging exploit techniques related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-37921: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: vxlan: vnifilter: Fix unlocked deletion of default FDB entry When a VNI is deleted from a VXLAN device in 'vnifilter' mode, the FDB entry associated with the default remote (assuming one was configured) is deleted without holding the hash lock. This is wrong and will result in a warning [1] being generated by the lockdep annotation that was added by commit ebe642067455 ("vxlan: Create wrappers for FDB lookup"). Reproducer: # ip link add vx0 up type vxlan dstport 4789 external vnifilter local 192.0.2.1 # bridge vni add vni 10010 remote 198.51.100.1 dev vx0 # bridge vni del vni 10010 dev vx0 Fix by acquiring the hash lock before the deletion and releasing it afterwards. Blame the original commit that introduced the issue rather than the one that exposed it. [1] WARNING: CPU: 3 PID: 392 at drivers/net/vxlan/vxlan_core.c:417 vxlan_find_mac+0x17f/0x1a0 [...] RIP: 0010:vxlan_find_mac+0x17f/0x1a0 [...] Call Trace: <TASK> __vxlan_fdb_delete+0xbe/0x560 vxlan_vni_delete_group+0x2ba/0x940 vxlan_vni_del.isra.0+0x15f/0x580 vxlan_process_vni_filter+0x38b/0x7b0 vxlan_vnifilter_process+0x3bb/0x510 rtnetlink_rcv_msg+0x2f7/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53
AI-Powered Analysis
Technical Analysis
CVE-2025-37921 is a vulnerability identified in the Linux kernel's VXLAN (Virtual Extensible LAN) implementation, specifically within the 'vnifilter' mode of VXLAN devices. VXLAN is a network virtualization technology widely used to encapsulate Layer 2 Ethernet frames within Layer 3 UDP packets, enabling scalable network segmentation in cloud and data center environments. The vulnerability arises when a Virtual Network Identifier (VNI) is deleted from a VXLAN device operating in vnifilter mode. During this deletion process, the Forwarding Database (FDB) entry associated with the default remote endpoint is removed without properly acquiring the necessary hash lock. This improper locking leads to a race condition and triggers warnings from the kernel's lock dependency checker (lockdep), indicating potential concurrency issues. The root cause is the unlocked deletion of the default FDB entry, which violates synchronization requirements in the kernel's networking code. The issue was introduced by a prior commit that created wrappers for FDB lookup but failed to ensure locking during deletion. The vulnerability is reproducible using specific ip and bridge commands that add and then delete a VNI on a VXLAN device configured with vnifilter mode. Although the vulnerability does not appear to cause immediate crashes or memory corruption, the lack of proper locking can lead to inconsistent FDB state, kernel warnings, and potentially undefined behavior under concurrent operations. The fix involves acquiring the appropriate hash lock before deleting the FDB entry and releasing it afterward, ensuring thread-safe manipulation of the FDB. This vulnerability affects Linux kernel versions containing the specified commit hashes prior to the fix and is relevant to environments utilizing VXLAN with vnifilter mode, which is common in advanced network virtualization setups.
Potential Impact
For European organizations, the impact of CVE-2025-37921 depends largely on their use of Linux-based infrastructure employing VXLAN with vnifilter mode. Many enterprises and cloud providers in Europe rely on Linux servers for network virtualization and container orchestration platforms such as Kubernetes, which may leverage VXLAN for overlay networking. Improper locking in the FDB deletion process could lead to kernel warnings and potential instability in network virtualization components, possibly causing intermittent network disruptions or degraded performance. While no direct exploit or remote code execution is indicated, the vulnerability could be leveraged as part of a broader attack chain to destabilize network services or cause denial of service in critical infrastructure. This is particularly concerning for sectors with high reliance on virtualized networks, such as telecommunications, finance, and cloud service providers. Additionally, the presence of kernel warnings and race conditions complicates troubleshooting and may increase operational risk. Given the foundational role of Linux in European IT infrastructure, unpatched systems could face reliability issues impacting business continuity and service availability.
Mitigation Recommendations
To mitigate CVE-2025-37921, European organizations should prioritize updating their Linux kernels to versions where this vulnerability has been patched. Since the issue stems from improper locking in the VXLAN vnifilter code, applying the official kernel patches that acquire the hash lock before FDB deletion is essential. Organizations should: 1) Identify all systems running Linux kernels with VXLAN vnifilter enabled, especially those using the affected commit versions. 2) Test and deploy updated kernel versions from trusted Linux distributions that include the fix. 3) If immediate patching is not feasible, consider disabling vnifilter mode on VXLAN devices as a temporary workaround to avoid triggering the vulnerability. 4) Monitor kernel logs for lockdep warnings related to vxlan_find_mac and FDB deletions to detect potential exploitation or instability. 5) Implement robust change management and network configuration auditing to ensure VXLAN configurations follow best practices and minimize exposure. 6) Engage with Linux distribution vendors and security mailing lists to stay informed about updates and any emerging exploit techniques related to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.968Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeaf81
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/4/2025, 1:40:15 AM
Last updated: 8/18/2025, 11:32:15 PM
Views: 16
Related Threats
CVE-2025-52287: n/a
UnknownCVE-2025-55581: n/a
HighCVE-2025-52085: n/a
HighCVE-2025-43760: CWE-79: Cross-site Scripting in Liferay Portal
MediumCVE-2025-55613: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.