CVE-2025-21682
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-21682
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21682.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-21682
- Downstream
- Related
- Published
- 2025-01-31T11:25:42Z
- Modified
- 2025-10-17T21:00:32.668227Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- eth: bnxt: always recalculate features after XDP clearing, fix null-deref
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
eth: bnxt: always recalculate features after XDP clearing, fix null-deref
Recalculate features when XDP is detached.
Before: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: off [requested on]
After: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: on
The fact that HW-GRO doesn't get re-enabled automatically is just a minor annoyance. The real issue is that the features will randomly come back during another reconfiguration which just happens to invoke netdevupdatefeatures(). The driver doesn't handle reconfiguring two things at a time very robustly.
Starting with commit 98ba1d931f61 ("bnxten: Fix RSS logic in _bnxtreserverings()") we only reconfigure the RSS hash table if the "effective" number of Rx rings has changed. If HW-GRO is enabled "effective" number of rings is 2x what user sees. So if we are in the bad state, with HW-GRO re-enablement "pending" after XDP off, and we lower the rings by / 2 - the HW-GRO rings doing 2x and the ethtool -L doing / 2 may cancel each other out, and the:
if (oldrxrings != bp->hwresc.resvrx_rings &&
condition in _bnxtreserve_rings() will be false. The RSS map won't get updated, and we'll crash with:
BUG: kernel NULL pointer dereference, address: 0000000000000168 RIP: 0010:_bnxthwrmvnicsetrss+0x13a/0x1a0 bnxthwrmvnicrsscfgp5+0x47/0x180 _bnxtsetupvnicp5+0x58/0x110 bnxtinitnic+0xb72/0xf50 _bnxtopennic+0x40d/0xab0 bnxtopennic+0x2b/0x60 ethtoolset_channels+0x18c/0x1d0
As we try to access a freed ring.
The issue is present since XDP support was added, really, but prior to commit 98ba1d931f61 ("bnxten: Fix RSS logic in _bnxtreserverings()") it wasn't causing major issues.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1054aee82321483dceabbb9b9e5d6512e8fe684bFixed08831a894d18abfaabb5bbde7c2069a7fb41dd93
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1054aee82321483dceabbb9b9e5d6512e8fe684bFixedf0aa6a37a3dbb40b272df5fc6db93c114688adcd
Affected versions
v4.*
v4.15
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v5.*
v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"id": "CVE-2025-21682-1690f319",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f0aa6a37a3dbb40b272df5fc6db93c114688adcd",
"digest": {
"line_hashes": [
"331822575848222141031163858661384729009",
"195202145743037447398611108111677889866",
"223187465459004964521987317667633213211",
"153071736596332771127899178965625105474",
"140582542248885426813842007249672578282",
"123238455077530198687290385989540922502",
"93759092387677900470820159670085645629",
"248842490601689295801918697608255702075",
"53932007621590165814166510102639499664",
"269788077035240044432975134829434540000",
"72547307458737377365555149095650194184",
"29963735431270436171426105838866199724",
"125206456389197744721330918055107506647",
"229439541934651990180760475236152342840",
"89820072803126938967875065729550444992",
"87890568262423024036853260763205359297",
"130474221998859483456939566248050876165",
"309809759539141387834312932808355471137",
"178093056287206858540520443689453075317"
],
"threshold": 0.9
},
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2025-21682-23b6e5e0",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@08831a894d18abfaabb5bbde7c2069a7fb41dd93",
"digest": {
"line_hashes": [
"176700575226621180102870903384930816365",
"305068370290339239639608945846466412315",
"208990121203402814618549783601889756535",
"268119085286743459720897046972764653183",
"207740746575137017821170183725085767960",
"171569062796703877993814112965108654303",
"247548739340784147556549919307647905260",
"108465273231489548864620481129220643839",
"146180638148522521942313021909222878356",
"292995718487197016522588393539522735076",
"48255000238263172778130475993016772579"
],
"threshold": 0.9
},
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2025-21682-38dc3b0e",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f0aa6a37a3dbb40b272df5fc6db93c114688adcd",
"digest": {
"line_hashes": [
"176700575226621180102870903384930816365",
"305068370290339239639608945846466412315",
"208990121203402814618549783601889756535",
"268119085286743459720897046972764653183",
"207740746575137017821170183725085767960",
"171569062796703877993814112965108654303",
"247548739340784147556549919307647905260",
"108465273231489548864620481129220643839",
"146180638148522521942313021909222878356",
"292995718487197016522588393539522735076",
"48255000238263172778130475993016772579"
],
"threshold": 0.9
},
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2025-21682-856c13e1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@08831a894d18abfaabb5bbde7c2069a7fb41dd93",
"digest": {
"line_hashes": [
"331822575848222141031163858661384729009",
"195202145743037447398611108111677889866",
"223187465459004964521987317667633213211",
"153071736596332771127899178965625105474",
"140582542248885426813842007249672578282",
"123238455077530198687290385989540922502",
"93759092387677900470820159670085645629",
"248842490601689295801918697608255702075",
"53932007621590165814166510102639499664",
"269788077035240044432975134829434540000",
"72547307458737377365555149095650194184",
"29963735431270436171426105838866199724",
"125206456389197744721330918055107506647",
"229439541934651990180760475236152342840",
"89820072803126938967875065729550444992",
"87890568262423024036853260763205359297",
"130474221998859483456939566248050876165",
"309809759539141387834312932808355471137",
"178093056287206858540520443689453075317"
],
"threshold": 0.9
},
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2025-21682-887a6432",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@08831a894d18abfaabb5bbde7c2069a7fb41dd93",
"digest": {
"length": 1607.0,
"function_hash": "305525965850163589923202570721137274661"
},
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c",
"function": "bnxt_xdp_set"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"id": "CVE-2025-21682-889c0f80",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@08831a894d18abfaabb5bbde7c2069a7fb41dd93",
"digest": {
"length": 869.0,
"function_hash": "43600969798142739945076535811967446892"
},
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c",
"function": "bnxt_set_rx_skb_mode"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"id": "CVE-2025-21682-95c1c35b",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@08831a894d18abfaabb5bbde7c2069a7fb41dd93",
"digest": {
"line_hashes": [
"148819416362180604245055429985419435990",
"275124874221238208391408455774353117529",
"251284519472757740016238432558460420302",
"203136604018054187400465067308593831176"
],
"threshold": 0.9
},
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.h"
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2025-21682-d21ee295",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f0aa6a37a3dbb40b272df5fc6db93c114688adcd",
"digest": {
"length": 1607.0,
"function_hash": "305525965850163589923202570721137274661"
},
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c",
"function": "bnxt_xdp_set"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"id": "CVE-2025-21682-d719ae4f",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f0aa6a37a3dbb40b272df5fc6db93c114688adcd",
"digest": {
"line_hashes": [
"84916112682008139055703039375432918913",
"275124874221238208391408455774353117529",
"251284519472757740016238432558460420302",
"203136604018054187400465067308593831176"
],
"threshold": 0.9
},
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.h"
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2025-21682-f050fc4d",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f0aa6a37a3dbb40b272df5fc6db93c114688adcd",
"digest": {
"length": 869.0,
"function_hash": "43600969798142739945076535811967446892"
},
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c",
"function": "bnxt_set_rx_skb_mode"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
}
]