Jianbo Liu

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** The issue is related to the ` xfrm state delete()` function in the Linux kernel, which can cause a crash when called twice. This happens because the `km.state` is not checked in the driver's delayed work, allowing the state to be reset to `XFRM STATE EXPIRED` even if it is already `XFRM STATE DEAD`. To fix this, the `xfrm state check expire()` function is skipped if `km.state` is not `XFRM STATE VALID`. The vulnerability can be exploited to cause a denial of service. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider disabling the ` xfrm state delete()` function until a patch is available. Restrict access to the vulnerable `mlx5e ipsec handle sw limits` function to minimize the risk of exploitation. Avoid using the `xfrm state check expire()` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.8.0 **Description** The vulnerability is related to the netfilter component of the Linux kernel, specifically the br netfilter module. It occurs when the bridge device is in promiscuous mode and packets directed to the taps follow the bridge input hook path. This can lead to a situation where cloned packets reach the br netfilter input hook, confirming the conntrack object. The issue is resolved by adding a workaround to reset conntrack for these packets and annotating the packet with a bit from BR INPUT SKB CB to indicate it has reached the input hook. **Recommendations** To resolve the issue, update the Linux kernel to version 6.8.0 or later. If updating is not possible, consider disabling the br netfilter module or restricting its use as a temporary workaround until a patch is available.