CVE-2025-21974 in Linux
Summary
by MITRE • 04/01/2025
In the Linux kernel, the following vulnerability has been resolved:
eth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc()
The bnxt_queue_mem_alloc() is called to allocate new queue memory when a queue is restarted. It internally accesses rx buffer descriptor corresponding to the index. The rx buffer descriptor is allocated and set when the interface is up and it's freed when the interface is down. So, if queue is restarted if interface is down, kernel panic occurs.
Splat looks like: BUG: unable to handle page fault for address: 000000000000b240 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 UID: 0 PID: 1563 Comm: ncdevmem2 Not tainted 6.14.0-rc2+ #9 844ddba6e7c459cafd0bf4db9a3198e Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 RIP: 0010:bnxt_queue_mem_alloc+0x3f/0x4e0 [bnxt_en]
Code: 41 54 4d 89 c4 4d 69 c0 c0 05 00 00 55 48 89 f5 53 48 89 fb 4c 8d b5 40 05 00 00 48 83 ec 15 RSP: 0018:ffff9dcc83fef9e8 EFLAGS: 00010202 RAX: ffffffffc0457720 RBX: ffff934ed8d40000 RCX: 0000000000000000 RDX: 000000000000001f RSI: ffff934ea508f800 RDI: ffff934ea508f808 RBP: ffff934ea508f800 R08: 000000000000b240 R09: ffff934e84f4b000 R10: ffff9dcc83fefa30 R11: ffff934e84f4b000 R12: 000000000000001f R13: ffff934ed8d40ac0 R14: ffff934ea508fd40 R15: ffff934e84f4b000 FS: 00007fa73888c740(0000) GS:ffff93559f780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000b240 CR3: 0000000145a2e000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x15a/0x460 ? exc_page_fault+0x6e/0x180 ? asm_exc_page_fault+0x22/0x30 ? __pfx_bnxt_queue_mem_alloc+0x10/0x10 [bnxt_en 7f85e76f4d724ba07471d7e39d9e773aea6597b7]
? bnxt_queue_mem_alloc+0x3f/0x4e0 [bnxt_en 7f85e76f4d724ba07471d7e39d9e773aea6597b7]
netdev_rx_queue_restart+0xc5/0x240 net_devmem_bind_dmabuf_to_queue+0xf8/0x200 netdev_nl_bind_rx_doit+0x3a7/0x450 genl_family_rcv_msg_doit+0xd9/0x130 genl_rcv_msg+0x184/0x2b0 ? __pfx_netdev_nl_bind_rx_doit+0x10/0x10 ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 ...
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/01/2026
The vulnerability described in CVE-2025-21974 resides within the Linux kernel's bnxt network driver, specifically in the bnxt_queue_mem_alloc() function. This issue manifests when a network interface is in a down state and a queue restart operation is attempted, leading to a kernel panic due to an invalid memory access. The problem stems from the driver's improper handling of queue memory allocation when the interface status does not align with the expected operational state. When the interface is down, the receive buffer descriptors are deallocated, but the function still attempts to access these freed memory locations during queue restart operations, resulting in a page fault that terminates kernel execution.
The technical flaw occurs because the bnxt_queue_mem_alloc() function does not validate the interface state before proceeding with memory operations that depend on interface-specific data structures. This design flaw creates a race condition and memory access violation scenario where the driver assumes that receive buffer descriptors are available for access even when the interface has been brought down. The kernel panic results from attempting to read from a memory address that no longer contains valid data, as indicated by the page fault error code and the specific memory address 0x000000000000b240 that the system attempts to access. This type of vulnerability falls under the category of improper validation of interface states and memory management within kernel space drivers.
The operational impact of this vulnerability is severe as it can cause complete system crashes and denial of service conditions when network interfaces are managed dynamically through kernel interfaces. The vulnerability is particularly dangerous in environments where network interface states change frequently or during system administration operations that involve interface restarts. Attackers could potentially exploit this vulnerability to cause system instability or force kernel panics, effectively creating a denial of service condition that affects network connectivity and system availability. The issue is classified as a kernel-level memory corruption vulnerability that can lead to system crashes and requires immediate patching to maintain system stability.
Mitigation strategies for this vulnerability involve implementing proper state validation checks within the bnxt_queue_mem_alloc() function to ensure that queue memory allocation only proceeds when the network interface is in an active state. The recommended approach is to add a conditional check that verifies the interface status before attempting any memory operations that depend on interface-specific data structures. This aligns with the common weakness pattern described in CWE-252, which deals with improper checks for an expected condition. Additionally, implementing proper error handling and return codes when interface states are inconsistent will prevent the kernel from attempting invalid memory accesses. The fix should be consistent with the ATT&CK framework's approach to kernel exploitation prevention, particularly targeting techniques related to privilege escalation through kernel memory corruption. System administrators should ensure that all affected kernel versions are patched promptly and that monitoring systems are in place to detect potential kernel panics related to network interface management operations.