CVE-2025-21960 – This is a Linux kernel vulnerability in the Bro... (How to Fix)

Q: What is the severity of CVE-2025-21960?

CVE-2025-21960 has a CVSS score of 5.5 (MEDIUM). This is a Linux kernel vulnerability in the Broadcom NetXtreme Ethernet driver (bnxt) where duplicate checksum updates cause a kernel warning when XDP-MB programs return XDP_PASS. The issue can cause system instability through kernel warnings and potential crashes. It affects systems using Broadcom NetXtreme Ethernet adapters with XDP-MB enabled.

📋 TL;DR

This is a Linux kernel vulnerability in the Broadcom NetXtreme Ethernet driver (bnxt) where duplicate checksum updates cause a kernel warning when XDP-MB programs return XDP_PASS. The issue can cause system instability through kernel warnings and potential crashes. It affects systems using Broadcom NetXtreme Ethernet adapters with XDP-MB enabled.

💻 Affected Systems

Products:

Linux kernel with bnxt_en driver

Versions: Linux kernel versions before the fix commits (specific versions vary by distribution)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using Broadcom NetXtreme Ethernet adapters with XDP-MB (eXpress Data Path multi-buffer) programs attached and returning XDP_PASS.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic or system crash due to repeated warnings under heavy network traffic, leading to denial of service.

🟠

Likely Case

Kernel warning messages in system logs and potential performance degradation, but no direct remote code execution.

🟢

If Mitigated

Minor performance impact with warning messages in logs, but system remains operational.

🌐 Internet-Facing: LOW - Requires specific driver configuration with XDP-MB enabled and network access to trigger.

🏢 Internal Only: MEDIUM - Internal systems using affected Broadcom adapters with XDP-MB could experience instability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to load XDP-MB programs and generate specific network traffic patterns. No known weaponized exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel with commits 44578bc6460b8fca530fc7bd5897c115d9bd27e2 and related fixes

Vendor Advisory: https://git.kernel.org/stable/c/44578bc6460b8fca530fc7bd5897c115d9bd27e2

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable XDP-MB on bnxt interfaces

linux

Remove XDP-MB programs from Broadcom NetXtreme Ethernet interfaces to prevent triggering the duplicate checksum update.

ip link set dev <interface> xdpmode off

🧯 If You Can't Patch

Disable XDP-MB functionality on all Broadcom NetXtreme Ethernet interfaces
Monitor system logs for kernel warnings and restart affected systems if warnings appear

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if bnxt driver is loaded with XDP-MB: 'uname -r' and 'lsmod | grep bnxt'

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes fix commits: 'uname -r' and verify with distribution's changelog

📡 Detection & Monitoring

Log Indicators:

Kernel warning messages containing 'bnxt_rx_pkt' and 'WARNING' in /var/log/kern.log or dmesg

Network Indicators:

Unusual network performance degradation on systems with Broadcom adapters

SIEM Query:

source="kern.log" AND "WARNING" AND "bnxt_rx_pkt"

📊 Metadata

CVE ID: CVE-2025-21960

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score: 0.09% exploit probability (25.8th percentile)

Published: April 1, 2025

Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON