CVE-2025-38678 in Linux
Summary
by MITRE • 09/03/2025
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: reject duplicate device on updates
A chain/flowtable update with duplicated devices in the same batch is possible. Unfortunately, netdev event path only removes the first device that is found, leaving unregistered the hook of the duplicated device.
Check if a duplicated device exists in the transaction batch, bail out with EEXIST in such case.
WARNING is hit when unregistering the hook:
[49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150
[49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)
[...]
[49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability CVE-2025-38678 resides within the Linux kernel's netfilter subsystem, specifically in the nf_tables component that manages network filtering rules and flow tables. This issue manifests when processing chain or flowtable updates that contain duplicate device references within the same transaction batch, creating a scenario where device registration and unregistration operations become inconsistent. The problem stems from the netdev event handling mechanism which only removes the first occurrence of a duplicated device during cleanup operations, leaving subsequent duplicate devices in an unregistered state. This architectural flaw creates a potential security risk by allowing malicious actors to exploit the inconsistent device state management during network filtering operations.
The technical implementation of this vulnerability occurs in the netfilter core subsystem where the nf_hook_entry_head function fails to properly validate device uniqueness during batch operations. When multiple references to the same network device are present in a single transaction, the kernel's device management logic only processes the first instance for removal while leaving others in an inconsistent state. This leads to a WARNING message being generated in the kernel log as shown in the vulnerability description, indicating that the system has encountered an unexpected condition during hook entry processing. The underlying cause aligns with CWE-129, which addresses improper validation of input ranges, and CWE-691, concerning inadequate protection against insufficiently protected device access.
The operational impact of this vulnerability extends beyond simple system warnings to potentially compromise network security and system stability. When duplicate device references exist in netfilter operations, the kernel's ability to properly manage network packet filtering becomes compromised, as some device hooks may remain active while others are improperly unregistered. This inconsistency can lead to unpredictable packet filtering behavior, potential bypasses of security rules, and in severe cases, system instability or denial of service conditions. The vulnerability particularly affects systems heavily reliant on netfilter for network security management, including firewalls, network appliances, and systems implementing complex traffic control policies.
Mitigation strategies for this vulnerability require immediate kernel updates to address the specific device duplicate handling logic in the nf_tables subsystem. System administrators should prioritize patching affected kernels to version containing the fix that implements proper duplicate device detection and returns EEXIST error codes when duplicates are detected in transaction batches. Additionally, monitoring systems should be enhanced to detect WARNING messages related to nf_hook_entry_head function calls and investigate any instances of duplicate device references in network filtering operations. Organizations should also implement defensive network configurations that minimize the likelihood of duplicate device references in critical filtering rules and establish regular auditing procedures to identify potentially problematic device configurations. This vulnerability demonstrates the importance of proper input validation in kernel space operations and aligns with ATT&CK technique T1548.001 for privilege escalation through kernel exploits, making it critical to address promptly.