{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39980","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.150Z","datePublished":"2025-10-15T07:56:00.275Z","dateUpdated":"2026-05-11T21:40:08.868Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:40:08.868Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Forbid FDB status change while nexthop is in a group\n\nThe kernel forbids the creation of non-FDB nexthop groups with FDB\nnexthops:\n\n # ip nexthop add id 1 via 192.0.2.1 fdb\n # ip nexthop add id 2 group 1\n Error: Non FDB nexthop group cannot have fdb nexthops.\n\nAnd vice versa:\n\n # ip nexthop add id 3 via 192.0.2.2 dev dummy1\n # ip nexthop add id 4 group 3 fdb\n Error: FDB nexthop group can only have fdb nexthops.\n\nHowever, as long as no routes are pointing to a non-FDB nexthop group,\nthe kernel allows changing the type of a nexthop from FDB to non-FDB and\nvice versa:\n\n # ip nexthop add id 5 via 192.0.2.2 dev dummy1\n # ip nexthop add id 6 group 5\n # ip nexthop replace id 5 via 192.0.2.2 fdb\n # echo $?\n 0\n\nThis configuration is invalid and can result in a NPD [1] since FDB\nnexthops are not associated with a nexthop device:\n\n # ip route add 198.51.100.1/32 nhid 6\n # ping 198.51.100.1\n\nFix by preventing nexthop FDB status change while the nexthop is in a\ngroup:\n\n # ip nexthop add id 7 via 192.0.2.2 dev dummy1\n # ip nexthop add id 8 group 7\n # ip nexthop replace id 7 via 192.0.2.2 fdb\n Error: Cannot change nexthop FDB status while in a group.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 00000000000003c0\n[...]\nOops: Oops: 0000 [#1] SMP\nCPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:fib_lookup_good_nhc+0x1e/0x80\n[...]\nCall Trace:\n <TASK>\n fib_table_lookup+0x541/0x650\n ip_route_output_key_hash_rcu+0x2ea/0x970\n ip_route_output_key_hash+0x55/0x80\n __ip4_datagram_connect+0x250/0x330\n udp_connect+0x2b/0x60\n __sys_connect+0x9c/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0xa4/0x2a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/nexthop.c"],"versions":[{"version":"38428d68719c454d269cb03b776d8a4b0ad66111","lessThan":"e1e87ac0daacd51f522ecd1645cd76b5809303ed","status":"affected","versionType":"git"},{"version":"38428d68719c454d269cb03b776d8a4b0ad66111","lessThan":"0e7bfe7a268ccbd7859730c529161cafbf44637c","status":"affected","versionType":"git"},{"version":"38428d68719c454d269cb03b776d8a4b0ad66111","lessThan":"ec428fff792b7bd15b248dafca2e654b666b1304","status":"affected","versionType":"git"},{"version":"38428d68719c454d269cb03b776d8a4b0ad66111","lessThan":"24046d31f6f92220852d393d510b6062843e3fbd","status":"affected","versionType":"git"},{"version":"38428d68719c454d269cb03b776d8a4b0ad66111","lessThan":"f0e49fd13afe9dea7a09a1c9537fd00cea22badb","status":"affected","versionType":"git"},{"version":"38428d68719c454d269cb03b776d8a4b0ad66111","lessThan":"8dd4aa0122885f710930de135af2adc4ccc3238f","status":"affected","versionType":"git"},{"version":"38428d68719c454d269cb03b776d8a4b0ad66111","lessThan":"390b3a300d7872cef9588f003b204398be69ce08","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/nexthop.c"],"versions":[{"version":"5.8","status":"affected"},{"version":"0","lessThan":"5.8","status":"unaffected","versionType":"semver"},{"version":"5.10.245","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.194","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.155","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.109","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.50","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.10","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.10.245"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.15.194"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"6.1.155"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"6.6.109"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"6.12.50"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"6.16.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e1e87ac0daacd51f522ecd1645cd76b5809303ed"},{"url":"https://git.kernel.org/stable/c/0e7bfe7a268ccbd7859730c529161cafbf44637c"},{"url":"https://git.kernel.org/stable/c/ec428fff792b7bd15b248dafca2e654b666b1304"},{"url":"https://git.kernel.org/stable/c/24046d31f6f92220852d393d510b6062843e3fbd"},{"url":"https://git.kernel.org/stable/c/f0e49fd13afe9dea7a09a1c9537fd00cea22badb"},{"url":"https://git.kernel.org/stable/c/8dd4aa0122885f710930de135af2adc4ccc3238f"},{"url":"https://git.kernel.org/stable/c/390b3a300d7872cef9588f003b204398be69ce08"}],"title":"nexthop: Forbid FDB status change while nexthop is in a group","x_generator":{"engine":"bippy-1.2.0"}}}}