CVE-2025-39894

Summary

In the Linux kernel, the following vulnerability has been resolved:

netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm

When send a broadcast packet to a tap device, which was added to a bridge, br_nf_local_in() is called to confirm the conntrack. If another conntrack with the same hash value is added to the hash table, which can be triggered by a normal packet to a non-bridge device, the below warning may happen.

————[ cut here ]———— WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200 CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary) RIP: 0010:br_nf_local_in+0x168/0x200 Call Trace: <TASK> nf_hook_slow+0x3e/0xf0 br_pass_frame_up+0x103/0x180 br_handle_frame_finish+0x2de/0x5b0 br_nf_hook_thresh+0xc0/0x120 br_nf_pre_routing_finish+0x168/0x3a0 br_nf_pre_routing+0x237/0x5e0 br_handle_frame+0x1ec/0x3c0 __netif_receive_skb_core+0x225/0x1210 __netif_receive_skb_one_core+0x37/0xa0 netif_receive_skb+0x36/0x160 tun_get_user+0xa54/0x10c0 tun_chr_write_iter+0x65/0xb0 vfs_write+0x305/0x410 ksys_write+0x60/0xd0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> —[ end trace 0000000000000000 ]—

To solve the hash conflict, nf_ct_resolve_clash() try to merge the conntracks, and update skb->_nfct. However, br_nf_local_in() still use the old ct from local variable 'nfct' after confirm(), which leads to this warning.

If confirm() does not insert the conntrack entry and return NF_DROP, the warning may also occur. There is no need to reserve the WARN_ON_ONCE, just remove it.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux7c3f28599652acf431a2211168de4a583f30b6d5 < d00c8b0daf56012f69075e3377da67878c775e4caffected
LinuxLinux2b1414d5e94e477edff1d2c79030f1d742625ea0 < ccbad4803225eafe0175d3cb19f0d8d73b504a94affected
LinuxLinux80cd0487f630b5382734997c3e5e3003a77db315 < 50db11e2bbb635e38e3dd096215580d6adb41fb0affected
LinuxLinux62e7151ae3eb465e0ab52a20c941ff33bb6332e9 < c47ca77fee9071aa543bae592dd2a384f895c8b6affected
LinuxLinux62e7151ae3eb465e0ab52a20c941ff33bb6332e9 < a74abcf0f09f59daeecf7a3ba9c1d690808b0afeaffected
LinuxLinux62e7151ae3eb465e0ab52a20c941ff33bb6332e9 < 479a54ab92087318514c82428a87af2d7af1a576affected
LinuxLinuxcb734975b0ffa688ff6cc0eed463865bf07b6c01affected
LinuxLinux5.15.151 < 5.15.192affected
LinuxLinux6.1.81 < 6.1.151affected
LinuxLinux6.6.21 < 6.6.105affected
LinuxLinux6.7.9 < 6.8affected
LinuxLinux6.8affected
LinuxLinux0 < 6.8unaffected
LinuxLinux5.15.192 <= 5.15.*unaffected
LinuxLinux6.1.151 <= 6.1.*unaffected
LinuxLinux6.6.105 <= 6.6.*unaffected
LinuxLinux6.12.46 <= 6.12.*unaffected
LinuxLinux6.16.6 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References