CVE-2025-21961

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the fixed version

Description A vulnerability has been resolved in the Linux kernel related to the bnxt driver. When mb-xdp is set and the return is XDP PASS, the packet is converted from xdp buff to sk buff with xdp update skb shared info() in bnxt xdp build skb(). However, bnxt xdp build skb() passes an incorrect truesize argument to xdp update skb shared info(). The truesize is calculated as BNXT RX PAGE SIZE * sinfo->nr frags, but the skb shared info was wiped by napi build skb() before. To fix this, the code stores sinfo->nr frags before bnxt xdp build skb() and uses it instead of getting skb shared info from xdp get shared info from buff().

Recommendations To resolve this issue, update the Linux kernel to a version that includes the fix for the bnxt driver. As a temporary workaround, consider disabling the mb-xdp feature until a patch is available. Restrict access to the bnxt driver to minimize the risk of exploitation. Avoid using the XDP PASS return value in the affected API endpoint until the issue is resolved.