CVE-2025-39894

MEDIUM EPSS 3.7%
Published Oct 1, 20259mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Oct 1, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm When send a broadcast packet to a tap device, which was added to a bridge, br_nf_local_in() is called to confirm the conntrack. If another conntrack with the same hash value is added to the hash table, which can be triggered by a normal packet to a non-bridge device, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200 CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary) RIP: 0010:br_nf_local_in+0x168/0x200 Call Trace: <TASK> nf_hook_slow+0x3e/0xf0 br_pass_frame_up+0x103/0x180 br_handle_frame_finish+0x2de/0x5b0 br_nf_hook_thresh+0xc0/0x120 br_nf_pre_routing_finish+0x168/0x3a0 br_nf_pre_routing+0x237/0x5e0 br_handle_frame+0x1ec/0x3c0 __netif_receive_skb_core+0x225/0x1210 __netif_receive_skb_one_core+0x37/0xa0 netif_receive_skb+0x36/0x160 tun_get_user+0xa54/0x10c0 tun_chr_write_iter+0x65/0xb0 vfs_write+0x305/0x410 ksys_write+0x60/0xd0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> ---[ end trace 0000000000000000 ]--- To solve the hash conflict, nf_ct_resolve_clash() try to merge the conntracks, and update skb->_nfct. However, br_nf_local_in() still use the old ct from local variable 'nfct' after confirm(), which leads to this warning. If confirm() does not insert the conntrack entry and return NF_DROP, the warning may also occur. There is no need to reserve the WARN_ON_ONCE, just remove it.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
3.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥5.15.151  –  <5.15.192
linuxlinux_kernel*≥6.1.81  –  <6.1.151
linuxlinux_kernel*≥6.6.21  –  <6.6.105
linuxlinux_kernel*≥6.7.9  –  <6.8
linuxlinux_kernel*≥6.8.1  –  <6.12.46
linuxlinux_kernel*≥6.13  –  <6.16.6
linuxlinux_kernel6.8any
linuxlinux_kernel6.8any
linuxlinux_kernel6.17any
linuxlinux_kernel6.17any
linuxlinux_kernel6.17any
linuxlinux_kernel6.17any
debiandebian_linux11.0any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/479a54ab92087318514c82428a87af2d7af1a576
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/50db11e2bbb635e38e3dd096215580d6adb41fb0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a74abcf0f09f59daeecf7a3ba9c1d690808b0afe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c47ca77fee9071aa543bae592dd2a384f895c8b6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ccbad4803225eafe0175d3cb19f0d8d73b504a94
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d00c8b0daf56012f69075e3377da67878c775e4c
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
    Third Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/479a54ab92087318514c82428a87af2d7af1a576
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/50db11e2bbb635e38e3dd096215580d6adb41fb0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a74abcf0f09f59daeecf7a3ba9c1d690808b0afe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c47ca77fee9071aa543bae592dd2a384f895c8b6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ccbad4803225eafe0175d3cb19f0d8d73b504a94
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d00c8b0daf56012f69075e3377da67878c775e4c
    Patch