CVE-2025-68770
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-01-13

Last updated on: 2026-01-14

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix XDP_TX path For XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not correct. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may be looping within NAPI and some event flags may be set in earlier iterations. In particular, if BNXT_TX_EVENT is set earlier indicating some XDP_TX packets are ready and pending, it will be cleared if it is XDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we successfully call __bnxt_xmit_xdp(). But if the TX ring has no more room, the flag will not be set. This will cause the TX producer to be ahead but the driver will not hit the TX doorbell. For multi-buf XDP_TX, there is no need to clear the event flags and set BNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in bnxt_rx_pkt(). The visible symptom of this is that the RX ring associated with the TX XDP ring will eventually become empty and all packets will be dropped. Because this condition will cause the driver to not refill the RX ring seeing that the TX ring has forever pending XDP_TX packets. The fix is to only clear BNXT_RX_EVENT when we have successfully called __bnxt_xmit_xdp().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-14
Generated
2026-05-07
AI Q&A
2026-01-14
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68770
EUVD
EUVD-2026-2319
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bnxt bnxt_en *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is in the Linux kernel's bnxt_en driver related to the XDP_TX path. The issue is that event flags are not correctly cleared in the bnxt_rx_xdp() function. Specifically, if the BNXT_TX_EVENT flag is set indicating pending XDP_TX packets, it may be cleared incorrectly if the TX ring has no more room, causing the driver to miss notifying the hardware (TX doorbell). This leads to the RX ring becoming empty and packets being dropped because the driver stops refilling the RX ring, thinking TX packets are still pending. The fix involves only clearing the BNXT_RX_EVENT flag after successfully transmitting XDP packets.


How can this vulnerability impact me? :

This vulnerability can cause packet loss because the RX ring associated with the TX XDP ring will eventually become empty and all incoming packets will be dropped. This happens because the driver incorrectly manages event flags, leading to a situation where it stops refilling the RX ring, resulting in network communication disruption.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in the Linux kernel by correcting the handling of event flags in the bnxt_en driver for XDP_TX actions. To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for the bnxt_en driver as described. This will ensure proper clearing and setting of event flags, preventing packet drops caused by the TX ring being full and the RX ring becoming empty.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart