CVE-2025-38678
Published: Sep 3, 2025
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject duplicate device on updates A chain/flowtable update with duplicated devices in the same batch is possible. Unfortunately, netdev event path only removes the first device that is found, leaving unregistered the hook of the duplicated device. Check if a duplicated device exists in the transaction batch, bail out with EEXIST in such case. WARNING is hit when unregistering the hook: [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150 [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full) [...] [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 78d9f48f7f44431a25da2b46b3a8812f6ff2b981 - < 0521e694d5b80899fba8695881a6349f9bc538cbaffected 78d9f48f7f44431a25da2b46b3a8812f6ff2b981 - < 4681960bc0f4f8bcc782cbf2fd205f48ad314dfdaffected 78d9f48f7f44431a25da2b46b3a8812f6ff2b981 - < 4ce2a0c3b8497a66cfc25fc7ca3d087258a785d2affected 78d9f48f7f44431a25da2b46b3a8812f6ff2b981 - < 3f358a66a04513311668ea4b40f5064e253d8386affected 78d9f48f7f44431a25da2b46b3a8812f6ff2b981 - < cf23d531a9d496863aa4c5a0e2f71f0a23f3df3c+2 more versions |
Linux | Linux | affected 5.8unaffected 0 - < 5.8unaffected 5.10.247 - <= 5.10.*unaffected 5.15.197 - <= 5.15.*unaffected 6.1.159 - <= 6.1.*+4 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now