CVE-2025-21973 in Linuxinfo

Summary

by MITRE • 04/01/2025

In the Linux kernel, the following vulnerability has been resolved:

eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx}

When qstats-get operation is executed, callbacks of netdev_stats_ops are called. The bnxt_get_queue_stats{rx | tx} collect per-queue stats
from sw_stats in the rings. But {rx | tx | cp}_ring are allocated when the interface is up.
So, these rings are not allocated when the interface is down.

The qstats-get is allowed even if the interface is down. However, the bnxt_get_queue_stats{rx | tx}() accesses cp_ring and tx_ring
without null check. So, it needs to avoid accessing rings if the interface is down.

Reproducer: ip link set $interface down ./cli.py --spec netdev.yaml --dump qstats-get OR ip link set $interface down python ./stats.py

Splat looks like: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1680fa067 P4D 1680fa067 PUD 16be3b067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 UID: 0 PID: 1495 Comm: python3 Not tainted 6.14.0-rc4+ #32 5cd0f999d5a15c574ac72b3e4b907341 Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 RIP: 0010:bnxt_get_queue_stats_rx+0xf/0x70 [bnxt_en]
Code: c6 87 b5 18 00 00 02 eb a2 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 01 RSP: 0018:ffffabef43cdb7e0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffffc04c8710 RCX: 0000000000000000 RDX: ffffabef43cdb858 RSI: 0000000000000000 RDI: ffff8d504e850000 RBP: ffff8d506c9f9c00 R08: 0000000000000004 R09: ffff8d506bcd901c R10: 0000000000000015 R11: ffff8d506bcd9000 R12: 0000000000000000 R13: ffffabef43cdb8c0 R14: ffff8d504e850000 R15: 0000000000000000 FS: 00007f2c5462b080(0000) GS:ffff8d575f600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000167fd0000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x15a/0x460 ? sched_balance_find_src_group+0x58d/0xd10 ? exc_page_fault+0x6e/0x180 ? asm_exc_page_fault+0x22/0x30 ? bnxt_get_queue_stats_rx+0xf/0x70 [bnxt_en cdd546fd48563c280cfd30e9647efa420db07bf1]
netdev_nl_stats_by_netdev+0x2b1/0x4e0 ? xas_load+0x9/0xb0 ? xas_find+0x183/0x1d0 ? xa_find+0x8b/0xe0 netdev_nl_qstats_get_dumpit+0xbf/0x1e0 genl_dumpit+0x31/0x90 netlink_dump+0x1a8/0x360

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/01/2026

The vulnerability CVE-2025-21973 affects the Linux kernel's bnxt network driver, specifically within the bnxt_get_queue_stats_rx and bnxt_get_queue_stats_tx functions. This issue stems from a lack of proper null pointer validation when accessing hardware ring structures during queue statistics collection operations. The affected driver handles Broadcom NetXtreme II and III network interfaces, where the software statistics are retrieved from ring structures that are only allocated when the network interface is brought up. When the interface is down, these rings remain unallocated, yet the qstats-get operation can still be invoked, leading to a kernel panic due to null pointer dereference.

The technical flaw manifests when the netdev_stats_ops callbacks are executed during a qstats-get operation. The bnxt_get_queue_stats_rx and bnxt_get_queue_stats_tx functions attempt to access cp_ring and tx_ring structures without verifying whether these rings have been allocated. This condition is particularly dangerous because the kernel's netlink interface allows statistics queries even when interfaces are administratively down, creating a mismatch between the expected state and actual memory allocation. The kernel oops trace reveals the exact point of failure at bnxt_get_queue_stats_rx+0xf, where a null pointer dereference occurs when attempting to access memory address 0x0000000000000000, which corresponds to the uninitialized ring structures.

This vulnerability directly maps to CWE-476 Null Pointer Dereference, a well-documented weakness in software security that occurs when a null value is dereferenced as if it were a valid pointer. The operational impact of this vulnerability is significant as it can cause system crashes and kernel panics, leading to denial of service conditions for network services. Attackers could potentially exploit this by repeatedly invoking qstats-get operations on down interfaces, causing system instability. The vulnerability also relates to ATT&CK technique T1499.001, which involves network disruption through kernel-level manipulation, and T1562.001, which encompasses system shutdown or crash techniques.

Mitigation strategies should focus on implementing proper null pointer checks within the bnxt_get_queue_stats_rx and bnxt_get_queue_stats_tx functions before accessing ring structures. The recommended fix involves adding conditional checks to verify that rings are allocated before attempting to access them, similar to how other network drivers handle such scenarios. Additionally, the kernel should validate interface state before processing qstats-get requests, ensuring that statistics collection only proceeds when the interface is in an active state. System administrators should ensure their kernels are updated with the patched version that includes proper null validation and state checking mechanisms to prevent unauthorized exploitation of this vulnerability. The fix should also include proper error handling that returns appropriate error codes rather than causing kernel panics when rings are not allocated.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00178

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!