CVE-2025-37921
📋 TL;DR
This CVE describes a race condition vulnerability in the Linux kernel's VXLAN implementation where deletion of default FDB entries occurs without proper locking in 'vnifilter' mode. This can lead to kernel warnings and potential system instability. Systems using VXLAN with vnifilter mode enabled are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic or system crash due to race condition leading to memory corruption or use-after-free scenarios.
Likely Case
Kernel warning messages in system logs and potential network connectivity issues for VXLAN interfaces.
If Mitigated
Minor performance impact from lock contention with proper locking implemented.
🎯 Exploit Status
Requires local access or network access to trigger VNI deletion operations. Race conditions are timing-dependent.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commit 087a9eb9e5978e3ba362e1163691e41097e8ca20 or later
Vendor Advisory: https://git.kernel.org/stable/c/087a9eb9e5978e3ba362e1163691e41097e8ca20
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Reboot system. 3. Verify kernel version with 'uname -r'.
🔧 Temporary Workarounds
Disable vnifilter mode
linuxAvoid using VXLAN in vnifilter mode until patched
# ip link set dev <vxlan_device> type vxlan external
Avoid VNI deletion operations
linuxDo not delete VNIs from VXLAN devices in vnifilter mode
🧯 If You Can't Patch
- Monitor system logs for kernel warnings related to vxlan_find_mac
- Isolate affected systems from critical network segments
🔍 How to Verify
Check if Vulnerable:
Check if VXLAN interfaces are configured with 'vnifilter' mode: # ip -d link show | grep vxlan | grep vnifilterCheck Version:
# uname -rVerify Fix Applied:
Check kernel version is patched: # uname -r | grep -E '(version_with_fix)' and verify no warnings in dmesg after VNI operations📡 Detection & Monitoring
Log Indicators:
- WARNING messages in dmesg/kernel logs containing 'vxlan_find_mac' or 'vxlan_fdb_delete'
Network Indicators:
- VXLAN connectivity issues after VNI deletion operations
SIEM Query:
source="kernel" AND "vxlan_find_mac" AND "WARNING"🔗 References
- https://git.kernel.org/stable/c/087a9eb9e5978e3ba362e1163691e41097e8ca20
- https://git.kernel.org/stable/c/2d4a121296aa3940d2df9906f955c2b6b4e38bc3
- https://git.kernel.org/stable/c/3576e9a80b6c4381b01ce0cbaa07f5e92d4492ed
- https://git.kernel.org/stable/c/470206205588559e60035fceb5f256640cb45f99
- https://git.kernel.org/stable/c/5cb9e07f84e527974b12e82e2549fa6c0cc6eef0
- https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html
