{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21973","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.797Z","datePublished":"2025-04-01T15:47:05.506Z","dateUpdated":"2026-05-11T21:10:10.543Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:10:10.543Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx}\n\nWhen qstats-get operation is executed, callbacks of netdev_stats_ops\nare called. The bnxt_get_queue_stats{rx | tx} collect per-queue stats\nfrom sw_stats in the rings.\nBut {rx | tx | cp}_ring are allocated when the interface is up.\nSo, these rings are not allocated when the interface is down.\n\nThe qstats-get is allowed even if the interface is down. However,\nthe bnxt_get_queue_stats{rx | tx}() accesses cp_ring and tx_ring\nwithout null check.\nSo, it needs to avoid accessing rings if the interface is down.\n\nReproducer:\n ip link set $interface down\n ./cli.py --spec netdev.yaml --dump qstats-get\nOR\n ip link set $interface down\n python ./stats.py\n\nSplat looks like:\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 1680fa067 P4D 1680fa067 PUD 16be3b067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 UID: 0 PID: 1495 Comm: python3 Not tainted 6.14.0-rc4+ #32 5cd0f999d5a15c574ac72b3e4b907341\n Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\n RIP: 0010:bnxt_get_queue_stats_rx+0xf/0x70 [bnxt_en]\n Code: c6 87 b5 18 00 00 02 eb a2 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 01\n RSP: 0018:ffffabef43cdb7e0 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffffffffc04c8710 RCX: 0000000000000000\n RDX: ffffabef43cdb858 RSI: 0000000000000000 RDI: ffff8d504e850000\n RBP: ffff8d506c9f9c00 R08: 0000000000000004 R09: ffff8d506bcd901c\n R10: 0000000000000015 R11: ffff8d506bcd9000 R12: 0000000000000000\n R13: ffffabef43cdb8c0 R14: ffff8d504e850000 R15: 0000000000000000\n FS:  00007f2c5462b080(0000) GS:ffff8d575f600000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000167fd0000 CR4: 00000000007506f0\n PKRU: 55555554\n Call Trace:\n  <TASK>\n  ? __die+0x20/0x70\n  ? page_fault_oops+0x15a/0x460\n  ? sched_balance_find_src_group+0x58d/0xd10\n  ? exc_page_fault+0x6e/0x180\n  ? asm_exc_page_fault+0x22/0x30\n  ? bnxt_get_queue_stats_rx+0xf/0x70 [bnxt_en cdd546fd48563c280cfd30e9647efa420db07bf1]\n  netdev_nl_stats_by_netdev+0x2b1/0x4e0\n  ? xas_load+0x9/0xb0\n  ? xas_find+0x183/0x1d0\n  ? xa_find+0x8b/0xe0\n  netdev_nl_qstats_get_dumpit+0xbf/0x1e0\n  genl_dumpit+0x31/0x90\n  netlink_dump+0x1a8/0x360"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/broadcom/bnxt/bnxt.c"],"versions":[{"version":"af7b3b4adda592cb49e202f3617454d5dda4c5b5","lessThan":"f059a0fd733078c3832fd0f3a3037aa5975d3d36","status":"affected","versionType":"git"},{"version":"af7b3b4adda592cb49e202f3617454d5dda4c5b5","lessThan":"adb830085f0fc3a09a0fc8b64fed2e7c8d244665","status":"affected","versionType":"git"},{"version":"af7b3b4adda592cb49e202f3617454d5dda4c5b5","lessThan":"f09af5fdfbd9b0fcee73aab1116904c53b199e97","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/broadcom/bnxt/bnxt.c"],"versions":[{"version":"6.9","status":"affected"},{"version":"0","lessThan":"6.9","status":"unaffected","versionType":"semver"},{"version":"6.12.20","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.8","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.12.20"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.13.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f059a0fd733078c3832fd0f3a3037aa5975d3d36"},{"url":"https://git.kernel.org/stable/c/adb830085f0fc3a09a0fc8b64fed2e7c8d244665"},{"url":"https://git.kernel.org/stable/c/f09af5fdfbd9b0fcee73aab1116904c53b199e97"}],"title":"eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx}","x_generator":{"engine":"bippy-1.2.0"}}}}