Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-39851— vxlan: Fix NPD when refreshing an FDB entry with a nexthop object

EPSS 0.01% · P2

Affected Version Matrix 8

VendorProductVersion RangeStatus
LinuxLinux1274e1cc42264d4e629841e4f182795cb0becfd2< 4ff4f3104da6507e0f118c63c4560dfdeb59dce3affected
1274e1cc42264d4e629841e4f182795cb0becfd2< 0e8630f24c14d9c655d19eabe2e52a9e9f713307affected
1274e1cc42264d4e629841e4f182795cb0becfd2< 6ead38147ebb813f08be6ea8ef547a0e4c09559aaffected
5.8affected
< 5.8unaffected
6.12.46≤ 6.12.*unaffected
6.16.6≤ 6.16.*unaffected
6.17≤ *unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-39851

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
vxlan: Fix NPD when refreshing an FDB entry with a nexthop object
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix NPD when refreshing an FDB entry with a nexthop object VXLAN FDB entries can point to either a remote destination or an FDB nexthop group. The latter is usually used in EVPN deployments where learning is disabled. However, when learning is enabled, an incoming packet might try to refresh an FDB entry that points to an FDB nexthop group and therefore does not have a remote. Such packets should be dropped, but they are only dropped after dereferencing the non-existent remote, resulting in a NPD [1] which can be reproduced using [2]. Fix by dropping such packets earlier. Remove the misleading comment from first_remote_rcu(). [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] CPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 RIP: 0010:vxlan_snoop+0x98/0x1e0 [...] Call Trace: <TASK> vxlan_encap_bypass+0x209/0x240 encap_bypass_if_local+0xb1/0x100 vxlan_xmit_one+0x1375/0x17e0 vxlan_xmit+0x6b4/0x15f0 dev_hard_start_xmit+0x5d/0x1c0 __dev_queue_xmit+0x246/0xfd0 packet_sendmsg+0x113a/0x1850 __sock_sendmsg+0x38/0x70 __sys_sendto+0x126/0x180 __x64_sys_sendto+0x24/0x30 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [2] #!/bin/bash ip address add 192.0.2.1/32 dev lo ip address add 192.0.2.2/32 dev lo ip nexthop add id 1 via 192.0.2.3 fdb ip nexthop add id 10 group 1 fdb ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020 bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10 mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于未正确处理指向FDB nexthop组的FDB条目,可能导致空指针取消引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 1274e1cc42264d4e629841e4f182795cb0becfd2 ~ 4ff4f3104da6507e0f118c63c4560dfdeb59dce3 -
LinuxLinux 5.8 -

II. Public POCs for CVE-2025-39851

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-39851

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-09-19 · 30 CVEs total

CVE-2025-39852net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6
CVE-2025-39837platform/x86: asus-wmi: Fix racy registrations
CVE-2025-39838cifs: prevent NULL pointer dereference in UTF16 conversion
CVE-2025-39839batman-adv: fix OOB read/write in network-coding decode
CVE-2025-39840audit: fix out-of-bounds read in audit_compare_dname_path()
CVE-2025-39841scsi: lpfc: Fix buffer free/clear order in deferred receive path
CVE-2025-39842ocfs2: prevent release journal inode after journal shutdown
CVE-2025-39844mm: move page table sync declarations to linux/pgtable.h
CVE-2025-39843mm: slub: avoid wake up kswapd in set_track_prepare
CVE-2025-39845x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()
CVE-2025-39846pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()
CVE-2025-39847ppp: fix memory leak in pad_compress_skb
CVE-2025-39848ax25: properly unshare skbs in ax25_kiss_rcv()
CVE-2025-39849wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()
CVE-2025-39850vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
CVE-2025-39866fs: writeback: fix use-after-free in __mark_inode_dirty()
CVE-2025-39853i40e: Fix potential invalid access when MAC list is empty
CVE-2025-39854ice: fix NULL access of tx->in_use in ice_ll_ts_intr
CVE-2025-39856net: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for ndev
CVE-2025-39855ice: fix NULL access of tx->in_use in ice_ptp_ts_irq

Showing top 20 of 30 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-39851

No comments yet

Leave a comment