CVE-2025-38246

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38246
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38246.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38246
Downstream
Related
Published
2025-07-09T10:42:27Z
Modified
2025-10-18T03:26:33.818269Z
Summary
bnxt: properly flush XDP redirect lists
Details

In the Linux kernel, the following vulnerability has been resolved:

bnxt: properly flush XDP redirect lists

We encountered following crash when testing a XDP_REDIRECT feature in production:

[56251.579676] listadd corruption. next->prev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740. (next=ffff93120dd 40f30). [56251.601413] ------------[ cut here ]------------ [56251.611357] kernel BUG at lib/listdebug.c:29! [56251.621082] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [56251.632073] CPU: 111 UID: 0 PID: 0 Comm: swapper/111 Kdump: loaded Tainted: P O 6.12.33-cloudflare-2025.6. 3 #1 [56251.653155] Tainted: [P]=PROPRIETARYMODULE, [O]=OOTMODULE [56251.663877] Hardware name: MiTAC GC68B-B8032-G11P6-GPU/S8032GM-HE-CFR, BIOS V7.020.B10-sig 01/22/2025 [56251.682626] RIP: 0010:_listaddvalidorreport+0x4b/0xa0 [56251.693203] Code: 0e 48 c7 c7 68 e7 d9 97 e8 42 16 fe ff 0f 0b 48 8b 52 08 48 39 c2 74 14 48 89 f1 48 c7 c7 90 e7 d9 97 48 89 c6 e8 25 16 fe ff <0f> 0b 4c 8b 02 49 39 f0 74 14 48 89 d1 48 c7 c7 e8 e7 d9 97 4c 89 [56251.725811] RSP: 0018:ffff93120dd40b80 EFLAGS: 00010246 [56251.736094] RAX: 0000000000000075 RBX: ffffb301e6bba9d8 RCX: 0000000000000000 [56251.748260] RDX: 0000000000000000 RSI: ffff9149afda0b80 RDI: ffff9149afda0b80 [56251.760349] RBP: ffff9131e49c8000 R08: 0000000000000000 R09: ffff93120dd40a18 [56251.772382] R10: ffff9159cf2ce1a8 R11: 0000000000000003 R12: ffff911a80850000 [56251.784364] R13: ffff93120fbc7000 R14: 0000000000000010 R15: ffff9139e7510e40 [56251.796278] FS: 0000000000000000(0000) GS:ffff9149afd80000(0000) knlGS:0000000000000000 [56251.809133] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [56251.819561] CR2: 00007f5e85e6f300 CR3: 00000038b85e2006 CR4: 0000000000770ef0 [56251.831365] PKRU: 55555554 [56251.838653] Call Trace: [56251.845560] <IRQ> [56251.851943] cpumapenqueue.cold+0x5/0xa [56251.860243] xdpdoredirect+0x2d9/0x480 [56251.868388] bnxtrxxdp+0x1d8/0x4c0 [bnxten] [56251.877028] bnxtrxpkt+0x5f7/0x19b0 [bnxten] [56251.885665] ? cpumaxwrite+0x1e/0x100 [56251.893510] ? srsoaliasreturnthunk+0x5/0xfbef5 [56251.902276] _bnxtpollwork+0x190/0x340 [bnxten] [56251.911058] bnxtpoll+0xab/0x1b0 [bnxten] [56251.919041] ? srsoaliasreturnthunk+0x5/0xfbef5 [56251.927568] ? srsoaliasreturnthunk+0x5/0xfbef5 [56251.935958] ? srsoaliasreturnthunk+0x5/0xfbef5 [56251.944250] _napipoll+0x2b/0x160 [56251.951155] bpftrampoline6442548651+0x79/0x123 [56251.959262] _napipoll+0x5/0x160 [56251.966037] netrxaction+0x3d2/0x880 [56251.973133] ? srsoaliasreturnthunk+0x5/0xfbef5 [56251.981265] ? srsoaliasreturnthunk+0x5/0xfbef5 [56251.989262] ? _hrtimerrunqueues+0x162/0x2a0 [56251.996967] ? srsoaliasreturnthunk+0x5/0xfbef5 [56252.004875] ? srsoaliasreturnthunk+0x5/0xfbef5 [56252.012673] ? bnxtmsix+0x62/0x70 [bnxten] [56252.019903] handlesoftirqs+0xcf/0x270 [56252.026650] irqexitrcu+0x67/0x90 [56252.032933] commoninterrupt+0x85/0xa0 [56252.039498] </IRQ> [56252.044246] <TASK> [56252.048935] asmcommoninterrupt+0x26/0x40 [56252.055727] RIP: 0010:cpuidleenterstate+0xb8/0x420 [56252.063305] Code: dc 01 00 00 e8 f9 79 3b ff e8 64 f7 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 a5 32 3a ff 45 84 ff 0f 85 ae 01 00 00 fb 45 85 f6 <0f> 88 88 01 00 00 48 8b 04 24 49 63 ce 4c 89 ea 48 6b f1 68 48 29 [56252.088911] RSP: 0018:ffff93120c97fe98 EFLAGS: 00000202 [56252.096912] RAX: ffff9149afd80000 RBX: ffff9141d3a72800 RCX: 0000000000000000 [56252.106844] RDX: 00003329176c6b98 RSI: ffffffe36db3fdc7 RDI: 0000000000000000 [56252.116733] RBP: 0000000000000002 R08: 0000000000000002 R09: 000000000000004e [56252.126652] R10: ffff9149afdb30c4 R11: 071c71c71c71c71c R12: ffffffff985ff860 [56252.136637] R13: 00003329176c6b98 R14: 0000000000000002 R15: 0000000000000000 [56252.146667] ? cpuidleenterstate+0xab/0x420 [56252.153909] cpuidleenter+0x2d/0x40 [56252.160360] doidle+0x176/0x1c0 [56252.166456 ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8
Fixed
16254aa985d14dee050564c4a3936f3dc096e1f7
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8
Fixed
c6665b8f0f58082c480ed8627029f44d046ef2c8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8
Fixed
02bf488d56df9db4f5147280b65d9011e1ab88d2
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8
Fixed
9caca6ac0e26cd20efd490d8b3b2ffb1c7c00f6f

Affected versions

v5.*

v5.18
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.15.3
v6.15.4
v6.16-rc1
v6.16-rc2
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.8
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.89
v6.6.9
v6.6.90
v6.6.91
v6.6.92
v6.6.93
v6.6.94
v6.6.95
v6.6.96
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "digest": {
            "length": 2041.0,
            "function_hash": "64229003483246153847785320913776259571"
        },
        "target": {
            "function": "__bnxt_poll_work",
            "file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c6665b8f0f58082c480ed8627029f44d046ef2c8",
        "signature_version": "v1",
        "id": "CVE-2025-38246-2a575b37"
    },
    {
        "digest": {
            "length": 1557.0,
            "function_hash": "148890906154127554952323482923657018739"
        },
        "target": {
            "function": "__bnxt_poll_work",
            "file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@16254aa985d14dee050564c4a3936f3dc096e1f7",
        "signature_version": "v1",
        "id": "CVE-2025-38246-2d7f1c82"
    },
    {
        "digest": {
            "length": 2041.0,
            "function_hash": "64229003483246153847785320913776259571"
        },
        "target": {
            "function": "__bnxt_poll_work",
            "file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@02bf488d56df9db4f5147280b65d9011e1ab88d2",
        "signature_version": "v1",
        "id": "CVE-2025-38246-30b3df77"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "310261001425588191441223111970920325012",
                "104491618963487905530888750402426150916",
                "255499464992768457338331603092549951974",
                "204830089214950964889531291348798017835",
                "176105741042007591875195665147591802802",
                "305062419876238790541775430979625866655",
                "251859062288403876590104149033811277332",
                "175645729690493184260046270481477788793",
                "197971565882865614939524307420121917274",
                "204791644409865111934248142238680350747",
                "145292769331048814587073287785186637052",
                "122360701505669071280747692002659351505",
                "337623383677733418655977000499524302345"
            ]
        },
        "target": {
            "file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@16254aa985d14dee050564c4a3936f3dc096e1f7",
        "signature_version": "v1",
        "id": "CVE-2025-38246-6294854b"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "310261001425588191441223111970920325012",
                "104491618963487905530888750402426150916",
                "310097629855984730719128809852858789526",
                "68999754274258847597730669360922243434",
                "176105741042007591875195665147591802802",
                "305062419876238790541775430979625866655",
                "251859062288403876590104149033811277332",
                "175645729690493184260046270481477788793",
                "171822280041996241758499006649443773872",
                "69183984419059884790366608436843953161",
                "265132248215018851340022355959637411430",
                "242445222893588168832048969376972960786"
            ]
        },
        "target": {
            "file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@02bf488d56df9db4f5147280b65d9011e1ab88d2",
        "signature_version": "v1",
        "id": "CVE-2025-38246-72ace96a"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "310261001425588191441223111970920325012",
                "104491618963487905530888750402426150916",
                "310097629855984730719128809852858789526",
                "68999754274258847597730669360922243434",
                "176105741042007591875195665147591802802",
                "305062419876238790541775430979625866655",
                "251859062288403876590104149033811277332",
                "175645729690493184260046270481477788793",
                "171822280041996241758499006649443773872",
                "69183984419059884790366608436843953161",
                "265132248215018851340022355959637411430",
                "242445222893588168832048969376972960786"
            ]
        },
        "target": {
            "file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9caca6ac0e26cd20efd490d8b3b2ffb1c7c00f6f",
        "signature_version": "v1",
        "id": "CVE-2025-38246-9ff39464"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "310261001425588191441223111970920325012",
                "104491618963487905530888750402426150916",
                "310097629855984730719128809852858789526",
                "68999754274258847597730669360922243434",
                "176105741042007591875195665147591802802",
                "305062419876238790541775430979625866655",
                "251859062288403876590104149033811277332",
                "175645729690493184260046270481477788793",
                "171822280041996241758499006649443773872",
                "69183984419059884790366608436843953161",
                "265132248215018851340022355959637411430",
                "242445222893588168832048969376972960786"
            ]
        },
        "target": {
            "file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c6665b8f0f58082c480ed8627029f44d046ef2c8",
        "signature_version": "v1",
        "id": "CVE-2025-38246-c196518d"
    },
    {
        "digest": {
            "length": 2041.0,
            "function_hash": "64229003483246153847785320913776259571"
        },
        "target": {
            "function": "__bnxt_poll_work",
            "file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9caca6ac0e26cd20efd490d8b3b2ffb1c7c00f6f",
        "signature_version": "v1",
        "id": "CVE-2025-38246-cda53e18"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.19.0
Fixed
6.6.97
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.36
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.5