Linux Kernel up to 6.16.3/6.17-rc2 assertion

Summaryinfo

A vulnerability labeled as critical has been found in Linux Kernel up to 6.16.3/6.17-rc2. This issue affects some unknown processing. Such manipulation leads to an unknown weakness. This vulnerability is referenced as CVE-2025-39768. No exploit is available. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Linux Kernel up to 6.16.3/6.17-rc2 and classified as critical. Using CWE to declare the problem leads to CWE-617. The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. The impact remains unknown. CVE summarizes:

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: HWS, fix complex rules rehash error flow Moving rules from matcher to matcher should not fail. However, if it does fail due to various reasons, the error flow should allow the kernel to continue functioning (albeit with broken steering rules) instead of going into series of soft lock-ups or some other problematic behaviour. Similar to the simple rules, complex rules rehash logic suffers from the same problems. This patch fixes the error flow for moving complex rules: - If new rule creation fails before it was even enqeued, do not poll for completion - If TIMEOUT happened while moving the rule, no point trying to poll for completions for other rules. Something is broken, completion won't come, just abort the rehash sequence. - If some other completion with error received, don't give up. Continue handling rest of the rules to minimize the damage. - Make sure that the first error code that was received will be actually returned to the caller instead of replacing it with the generic error code. All the aforementioned issues stem from the same bad error flow, so no point fixing them one by one and leaving partially broken code - fixing them in one patch.

The advisory is available at git.kernel.org. This vulnerability is handled as CVE-2025-39768 since 04/16/2025. The exploitation is known to be difficult. The technical details are unknown and an exploit is not available.

The vulnerability scanner Nessus provides a plugin with the ID 264729 (Linux Distros Unpatched Vulnerability : CVE-2025-39768), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.16.4 or 6.17-rc3 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (264729) and CERT Bund (WID-SEC-2025-2040). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Affected

• Google Container-Optimized OS
• Debian Linux
• Google Cloud Platform
• Amazon Linux 2
• Red Hat Enterprise Linux
• Fedora Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• SUSE openSUSE
• RESF Rocky Linux
• Open Source Linux Kernel
• Proxmox Virtual Environment
• Proxmox Backup Server
• Dell Secure Connect Gateway
• IBM QRadar SIEM

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.16.0
• 6.16.1
• 6.16.2
• 6.16.3
• 6.17-rc1
• 6.17-rc2

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion