{"vulnerability": "CVE-2025-21682", "sightings": [{"uuid": "9490b69b-709f-416e-8b72-850ab9ba744c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-21682", "type": "seen", "source": "https://bsky.app/profile/cve-notifications.bsky.social/post/3lgzy45fslt2i", "content": "", "creation_timestamp": "2025-01-31T12:16:47.346607Z"}, {"uuid": "488bef9e-844d-486b-849d-64ace2dbccf3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2025-21682", "type": "seen", "source": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0316/", "content": "", "creation_timestamp": "2026-03-19T00:00:00.000000Z"}, {"uuid": "d9210fe1-c6bd-4a72-95f6-51302b7331a3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2025-21682", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/816dcc8e-f25a-4895-9b59-1bbd9caeccb8", "content": "", "creation_timestamp": "2025-12-03T14:14:49.267740Z"}, {"uuid": "607ed559-9e39-4029-96be-4446a1a93311", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-21682", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/3646", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-21682\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: always recalculate features after XDP clearing, fix null-deref\n\nRecalculate features when XDP is detached.\n\nBefore:\n  # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp\n  # ip li set dev eth0 xdp off\n  # ethtool -k eth0 | grep gro\n  rx-gro-hw: off [requested on]\n\nAfter:\n  # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp\n  # ip li set dev eth0 xdp off\n  # ethtool -k eth0 | grep gro\n  rx-gro-hw: on\n\nThe fact that HW-GRO doesn't get re-enabled automatically is just\na minor annoyance. The real issue is that the features will randomly\ncome back during another reconfiguration which just happens to invoke\nnetdev_update_features(). The driver doesn't handle reconfiguring\ntwo things at a time very robustly.\n\nStarting with commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in\n__bnxt_reserve_rings()\") we only reconfigure the RSS hash table\nif the \"effective\" number of Rx rings has changed. If HW-GRO is\nenabled \"effective\" number of rings is 2x what user sees.\nSo if we are in the bad state, with HW-GRO re-enablement \"pending\"\nafter XDP off, and we lower the rings by / 2 - the HW-GRO rings\ndoing 2x and the ethtool -L doing / 2 may cancel each other out,\nand the:\n\n  if (old_rx_rings != bp->hw_resc.resv_rx_rings &&\n\ncondition in __bnxt_reserve_rings() will be false.\nThe RSS map won't get updated, and we'll crash with:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000168\n  RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0\n    bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180\n    __bnxt_setup_vnic_p5+0x58/0x110\n    bnxt_init_nic+0xb72/0xf50\n    __bnxt_open_nic+0x40d/0xab0\n    bnxt_open_nic+0x2b/0x60\n    ethtool_set_channels+0x18c/0x1d0\n\nAs we try to access a freed ring.\n\nThe issue is present since XDP support was added, really, but\nprior to commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in\n__bnxt_reserve_rings()\") it wasn't causing major issues.\n\ud83d\udccf Published: 2025-01-31T12:33:03Z\n\ud83d\udccf Modified: 2025-01-31T12:33:03Z\n\ud83d\udd17 References:\n1. https://nvd.nist.gov/vuln/detail/CVE-2025-21682\n2. https://git.kernel.org/stable/c/08831a894d18abfaabb5bbde7c2069a7fb41dd93\n3. https://git.kernel.org/stable/c/f0aa6a37a3dbb40b272df5fc6db93c114688adcd", "creation_timestamp": "2025-01-31T13:14:57.000000Z"}, {"uuid": "aba20988-8575-402a-b5b4-8bbc2a20afd3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-21682", "type": "seen", "source": "https://t.me/cvedetector/16938", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-21682 - \"Broadcom bnxt: Null-dereference Vulnerability in XDP Handling\"\", \n  \"Content\": \"CVE ID : CVE-2025-21682 \nPublished : Jan. 31, 2025, 12:15 p.m. | 1\u00a0hour, 34\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \neth: bnxt: always recalculate features after XDP clearing, fix null-deref  \n  \nRecalculate features when XDP is detached.  \n  \nBefore:  \n  # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp  \n  # ip li set dev eth0 xdp off  \n  # ethtool -k eth0 | grep gro  \n  rx-gro-hw: off [requested on]  \n  \nAfter:  \n  # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp  \n  # ip li set dev eth0 xdp off  \n  # ethtool -k eth0 | grep gro  \n  rx-gro-hw: on  \n  \nThe fact that HW-GRO doesn't get re-enabled automatically is just  \na minor annoyance. The real issue is that the features will randomly  \ncome back during another reconfiguration which just happens to invoke  \nnetdev_update_features(). The driver doesn't handle reconfiguring  \ntwo things at a time very robustly.  \n  \nStarting with commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in  \n__bnxt_reserve_rings()\") we only reconfigure the RSS hash table  \nif the \"effective\" number of Rx rings has changed. If HW-GRO is  \nenabled \"effective\" number of rings is 2x what user sees.  \nSo if we are in the bad state, with HW-GRO re-enablement \"pending\"  \nafter XDP off, and we lower the rings by / 2 - the HW-GRO rings  \ndoing 2x and the ethtool -L doing / 2 may cancel each other out,  \nand the:  \n  \n  if (old_rx_rings != bp->hw_resc.resv_rx_rings &&  \n  \ncondition in __bnxt_reserve_rings() will be false.  \nThe RSS map won't get updated, and we'll crash with:  \n  \n  BUG: kernel NULL pointer dereference, address: 0000000000000168  \n  RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0  \n    bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180  \n    __bnxt_setup_vnic_p5+0x58/0x110  \n    bnxt_init_nic+0xb72/0xf50  \n    __bnxt_open_nic+0x40d/0xab0  \n    bnxt_open_nic+0x2b/0x60  \n    ethtool_set_channels+0x18c/0x1d0  \n  \nAs we try to access a freed ring.  \n  \nThe issue is present since XDP support was added, really, but  \nprior to commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in  \n__bnxt_reserve_rings()\") it wasn't causing major issues. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"31 Jan 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-01-31T15:22:34.000000Z"}]}