CVE-2025-39894

01.10.2025, 08:15

In the Linux kernel, the following vulnerability has been resolved:

netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm

When send a broadcast packet to a tap device, which was added to a bridge,
br_nf_local_in() is called to confirm the conntrack. If another conntrack
with the same hash value is added to the hash table, which can be
triggered by a normal packet to a non-bridge device, the below warning
may happen.

  ------------[ cut here ]------------
  WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200
  CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)
  RIP: 0010:br_nf_local_in+0x168/0x200
  Call Trace:
   <TASK>
   nf_hook_slow+0x3e/0xf0
   br_pass_frame_up+0x103/0x180
   br_handle_frame_finish+0x2de/0x5b0
   br_nf_hook_thresh+0xc0/0x120
   br_nf_pre_routing_finish+0x168/0x3a0
   br_nf_pre_routing+0x237/0x5e0
   br_handle_frame+0x1ec/0x3c0
   __netif_receive_skb_core+0x225/0x1210
   __netif_receive_skb_one_core+0x37/0xa0
   netif_receive_skb+0x36/0x160
   tun_get_user+0xa54/0x10c0
   tun_chr_write_iter+0x65/0xb0
   vfs_write+0x305/0x410
   ksys_write+0x60/0xd0
   do_syscall_64+0xa4/0x260
   entry_SYSCALL_64_after_hwframe+0x77/0x7f
   </TASK>
  ---[ end trace 0000000000000000 ]---

To solve the hash conflict, nf_ct_resolve_clash() try to merge the
conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
old ct from local variable 'nfct' after confirm(), which leads to this
warning.

If confirm() does not insert the conntrack entry and return NF_DROP, the
warning may also occur. There is no need to reserve the WARN_ON_ONCE, just
remove it.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
Linux	CNA	---	---
CVE	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.244-1 fixed
bookworm	vulnerable
bookworm (security)	6.1.158-1 fixed
trixie	6.12.57-1 fixed
trixie (security)	6.12.48-1 fixed
forky	6.16.12-2 fixed
sid	6.17.7-2 fixed

linux-6.1

bullseye (security)

6.1.153-1~deb11u1

fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

plucky	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-hwe

plucky	dne
noble	dne
jammy	dne
bionic	ignored
xenial	needs-triage

linux-hwe-5.4

plucky	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-hwe-5.8

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.11

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.13

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.15

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-hwe-5.19

plucky	dne
noble	dne
jammy	ignored

linux-hwe-6.2

plucky	dne
noble	dne
jammy	ignored

linux-hwe-6.5

plucky	dne
noble	dne
jammy	ignored

linux-hwe-6.8

plucky	dne
noble	dne
jammy	needs-triage

linux-hwe-6.11

plucky	dne
noble	ignored
jammy	dne

linux-hwe-6.14

plucky	dne
noble	needs-triage
jammy	dne

linux-hwe-edge

plucky	dne
noble	dne
jammy	dne
bionic	ignored
xenial	ignored

linux-lts-xenial

plucky	dne
noble	dne
jammy	dne
trusty	needs-triage

linux-kvm

plucky	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-allwinner-5.19

plucky	dne
noble	dne
jammy	ignored

linux-aws

plucky	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-aws-5.0

plucky	dne
noble	dne
jammy	dne
bionic	ignored

linux-aws-5.3

plucky	dne
noble	dne
jammy	dne
bionic	ignored

linux-aws-5.4

plucky	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-aws-5.8

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.11

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.13

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.15

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-aws-5.19

plucky	dne
noble	dne
jammy	ignored

linux-aws-6.2

plucky	dne
noble	dne
jammy	ignored

linux-aws-6.5

plucky	dne
noble	dne
jammy	ignored

linux-aws-6.8

plucky	dne
noble	dne
jammy	needs-triage

linux-aws-6.14

plucky	dne
noble	needs-triage
jammy	dne

linux-aws-hwe

plucky	dne
noble	dne
jammy	dne
xenial	needs-triage

linux-azure

plucky	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage
trusty	needs-triage

linux-azure-4.15

plucky	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-azure-5.3

plucky	dne
noble	dne
jammy	dne
bionic	ignored

linux-azure-5.4

plucky	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-azure-5.8

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.11

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.13

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.15

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-5.19

plucky	dne
noble	dne
jammy	ignored

linux-azure-6.2

plucky	dne
noble	dne
jammy	ignored

linux-azure-6.5

plucky	dne
noble	dne
jammy	ignored

linux-azure-6.8

plucky	dne
noble	dne
jammy	needs-triage

linux-azure-6.11

plucky	dne
noble	ignored
jammy	dne

linux-azure-fde

plucky	needs-triage
noble	dne
jammy	needs-triage
focal	ignored

linux-azure-fde-5.15

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-fde-5.19

plucky	dne
noble	dne
jammy	ignored

linux-azure-fde-6.2

plucky	dne
noble	dne
jammy	ignored

linux-azure-nvidia

plucky	dne
noble	needs-triage
jammy	dne

linux-bluefield

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-edge

plucky	dne
noble	dne
jammy	dne
bionic	ignored

linux-fips

plucky	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-aws-fips

plucky	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-azure-fips

plucky	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-gcp-fips

plucky	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-gcp

plucky	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage

linux-gcp-4.15

plucky	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-gcp-5.3

plucky	dne
noble	dne
jammy	dne
bionic	ignored

linux-gcp-5.4

plucky	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-gcp-5.8

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.11

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.13

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.15

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-gcp-5.19

plucky	dne
noble	dne
jammy	ignored

linux-gcp-6.2

plucky	dne
noble	dne
jammy	ignored

linux-gcp-6.5

plucky	dne
noble	dne
jammy	ignored

linux-gcp-6.8

plucky	dne
noble	dne
jammy	needs-triage

linux-gcp-6.11

plucky	dne
noble	ignored
jammy	dne

linux-gcp-6.14

plucky	dne
noble	needs-triage
jammy	dne

linux-gke

plucky	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gke-4.15

plucky	dne
noble	dne
jammy	dne
bionic	ignored

linux-gke-5.4

plucky	dne
noble	dne
jammy	dne
bionic	ignored

linux-gke-5.15

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-gkeop

plucky	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gkeop-5.4

plucky	dne
noble	dne
jammy	dne
bionic	ignored

linux-gkeop-5.15

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-ibm

plucky	dne
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-ibm-5.4

plucky	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-ibm-5.15

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-ibm-6.8

plucky	dne
noble	dne
jammy	needs-triage

linux-intel-5.13

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-intel-iotg

plucky	dne
noble	dne
jammy	needs-triage

linux-intel-iotg-5.15

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-iot

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-intel-iot-realtime

plucky	dne
noble	dne
jammy	needs-triage

linux-lowlatency

plucky	dne
noble	needs-triage
jammy	needs-triage

linux-lowlatency-hwe-5.15

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-lowlatency-hwe-5.19

plucky	dne
noble	dne
jammy	ignored

linux-lowlatency-hwe-6.2

plucky	dne
noble	dne
jammy	ignored

linux-lowlatency-hwe-6.5

plucky	dne
noble	dne
jammy	ignored

linux-lowlatency-hwe-6.8

plucky	dne
noble	dne
jammy	needs-triage

linux-lowlatency-hwe-6.11

plucky	dne
noble	ignored
jammy	dne

linux-nvidia

plucky	dne
noble	needs-triage
jammy	needs-triage

linux-nvidia-6.2

plucky	dne
noble	dne
jammy	ignored

linux-nvidia-6.5

plucky	dne
noble	dne
jammy	ignored

linux-nvidia-6.8

plucky	dne
noble	dne
jammy	needs-triage

linux-nvidia-6.11

plucky	dne
noble	needs-triage
jammy	dne

linux-nvidia-lowlatency

plucky	dne
noble	needs-triage
jammy	dne

linux-nvidia-tegra

plucky	dne
noble	needs-triage
jammy	needs-triage

linux-nvidia-tegra-5.15

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-nvidia-tegra-igx

plucky	dne
noble	dne
jammy	needs-triage

linux-oracle

plucky	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-oracle-5.0

plucky	dne
noble	dne
jammy	dne
bionic	ignored

linux-oracle-5.3

plucky	dne
noble	dne
jammy	dne
bionic	ignored

linux-oracle-5.4

plucky	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-oracle-5.8

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.11

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.13

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.15

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-oracle-6.5

plucky	dne
noble	dne
jammy	ignored

linux-oracle-6.8

plucky	dne
noble	dne
jammy	needs-triage

linux-oracle-6.14

plucky	dne
noble	needs-triage
jammy	dne

linux-oem

plucky	dne
noble	dne
jammy	dne
bionic	ignored

linux-oem-5.6

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.10

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.13

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.14

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.17

plucky	dne
noble	dne
jammy	ignored

linux-oem-6.0

plucky	dne
noble	dne
jammy	ignored

linux-oem-6.1

plucky	dne
noble	dne
jammy	ignored

linux-oem-6.5

plucky	dne
noble	dne
jammy	ignored

linux-oem-6.8

plucky	dne
noble	needs-triage
jammy	dne

linux-oem-6.11

plucky	dne
noble	needs-triage
jammy	dne

linux-oem-6.14

plucky	dne
noble	needs-triage
jammy	dne

linux-raspi

plucky	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-raspi2

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-raspi-5.4

plucky	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-raspi-realtime

plucky	dne
noble	needs-triage
jammy	dne

linux-realtime

plucky	needs-triage
noble	needs-triage
jammy	needs-triage

linux-realtime-6.8

plucky	dne
noble	dne
jammy	needs-triage

linux-realtime-6.14

plucky	dne
noble	needs-triage
jammy	dne

linux-riscv

plucky	needs-triage
noble	ignored
jammy	ignored
focal	ignored

linux-riscv-5.8

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-5.11

plucky	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-5.15

plucky	dne
noble	dne
jammy	dne
focal	needs-triage

linux-riscv-5.19

plucky	dne
noble	dne
jammy	ignored

linux-riscv-6.5

plucky	dne
noble	dne
jammy	ignored

linux-riscv-6.8

plucky	dne
noble	dne
jammy	needs-triage

linux-riscv-6.14

plucky	dne
noble	needs-triage
jammy	dne

linux-starfive-5.19

plucky	dne
noble	dne
jammy	ignored

linux-starfive-6.2

plucky	dne
noble	dne
jammy	ignored

linux-starfive-6.5

plucky	dne
noble	dne
jammy	ignored

linux-xilinx-zynqmp

plucky	dne
noble	dne
jammy	needs-triage
focal	needs-triage

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen und andere nicht näher spezifizierte Angriffe durchzuführen, möglicherweise um beliebigen Code auszuführen oder eine Speicherbeschädigung zu verursachen.
Published: 2025-09-30T22:00:00+00:00

References

https://git.kernel.org/stable/c/479a54ab92087318514c82428a87af2d7af1a576

https://git.kernel.org/stable/c/50db11e2bbb635e38e3dd096215580d6adb41fb0

https://git.kernel.org/stable/c/a74abcf0f09f59daeecf7a3ba9c1d690808b0afe

https://git.kernel.org/stable/c/c47ca77fee9071aa543bae592dd2a384f895c8b6

https://git.kernel.org/stable/c/ccbad4803225eafe0175d3cb19f0d8d73b504a94

https://git.kernel.org/stable/c/d00c8b0daf56012f69075e3377da67878c775e4c

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html