CVE-2025-39894

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.17.0-rc2-dirty #44

Description The Linux kernel contains an issue within the netfilter module, specifically in the br netfilter component. A hash collision can occur when handling broadcast packets sent to a bridge interface, potentially leading to a warning message. This happens because br nf local in() continues to use an outdated conntrack entry after a confirmation process, even if the confirmation fails to insert a new entry. The issue arises when another conntrack with the same hash value is added to the hash table, triggered by a normal packet to a non-bridge device. The function br nf local in() is involved in the process, and the warning message indicates a potential problem with conntrack management.

Recommendations Update to a version beyond 6.17.0-rc2-dirty #44.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-703

Related Identifiers

AZL-74745

BDU:2025-15658

CVE-2025-39894

DLA-4328-1

ECHO-3121-F8AD-A40C

OESA-2026-2417

OESA-2026-2418

USN-7909-1

USN-7909-2

USN-7909-3

USN-7909-4

USN-7909-5

USN-7910-1

USN-7910-2

USN-7933-1

USN-7938-1

USN-8095-1

USN-8095-2

USN-8095-3

USN-8095-4

USN-8095-5

USN-8100-1

USN-8125-1

USN-8126-1

USN-8165-1

USN-8261-1

Affected Products

Astra Linux

Linuxmint

Linux Kernel

Ubuntu

Br Netfilter

Br Nf Local In

Netfilter

CVE-2025-39894

Weakness Enumeration

Related Identifiers

Affected Products

References · 1592