CVE-2025-39894
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm When send a broadcast packet to a tap device, which was added to a bridge, br_nf_local_in() is called to confirm the conntrack. If another conntrack with the same hash value is added to the hash table, which can be triggered by a normal packet to a non-bridge device, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200 CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary) RIP: 0010:br_nf_local_in+0x168/0x200 Call Trace: <TASK> nf_hook_slow+0x3e/0xf0 br_pass_frame_up+0x103/0x180 br_handle_frame_finish+0x2de/0x5b0 br_nf_hook_thresh+0xc0/0x120 br_nf_pre_routing_finish+0x168/0x3a0 br_nf_pre_routing+0x237/0x5e0 br_handle_frame+0x1ec/0x3c0 __netif_receive_skb_core+0x225/0x1210 __netif_receive_skb_one_core+0x37/0xa0 netif_receive_skb+0x36/0x160 tun_get_user+0xa54/0x10c0 tun_chr_write_iter+0x65/0xb0 vfs_write+0x305/0x410 ksys_write+0x60/0xd0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> ---[ end trace 0000000000000000 ]--- To solve the hash conflict, nf_ct_resolve_clash() try to merge the conntracks, and update skb->_nfct. However, br_nf_local_in() still use the old ct from local variable 'nfct' after confirm(), which leads to this warning. If confirm() does not insert the conntrack entry and return NF_DROP, the warning may also occur. There is no need to reserve the WARN_ON_ONCE, just remove it.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-10-01
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39894
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.1.153
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's netfilter br_netfilter component. When a broadcast packet is sent to a tap device that is part of a bridge, the function br_nf_local_in() is called to confirm the connection tracking (conntrack). If another conntrack with the same hash value is added to the hash table, triggered by a normal packet to a non-bridge device, a warning is generated due to the use of an outdated conntrack reference after confirmation. The issue arises because br_nf_local_in() continues to use the old conntrack object after confirm() has updated it, leading to a warning and potential instability. The fix involves removing the unnecessary warning and properly handling the conntrack references to avoid this conflict.


How can this vulnerability impact me? :

This vulnerability can cause warnings and potential instability in the Linux kernel networking stack when handling certain packets on bridged tap devices. While it does not explicitly mention security breaches like data leaks or privilege escalation, the warning indicates a race or logic issue in connection tracking that could lead to unexpected behavior or kernel instability, potentially affecting network reliability and performance.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the system logs for the specific warning message related to br_nf_local_in(). You should look for kernel warnings similar to: "WARNING: CPU: ... at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200" Using the command: journalctl -k | grep br_nf_local_in or dmesg | grep br_nf_local_in can help identify if this warning has occurred on your system.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves updating the Linux kernel to a version where this vulnerability is fixed, as the issue is resolved by removing the problematic WARN_ON_ONCE and correcting the handling in br_nf_local_in(). Until an update is applied, monitoring for the warning messages and avoiding sending broadcast packets to tap devices added to a bridge may reduce triggering the issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart