CVE-2025-21960 [Medium] | Security Vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() The bnxt_rx_pkt() updates ip_summed value at the end if checksum offload is enabled. When the XDP-MB program is attached and it returns XDP_PASS, the bnxt_xdp_build_skb() is called to update skb_shared_info. The main purpose of bnxt_xdp_build_skb() is to update skb_shared_info, but it updates ip_summed value too if checksum offload is enabled. This is actually duplicate work. When the bnxt_rx_pkt() updates ip_summed value, it checks if ip_summed is CHECKSUM_NONE or not. It means that ip_summed should be CHECKSUM_NONE at this moment. But ip_summed may already be updated to CHECKSUM_UNNECESSARY in the XDP-MB-PASS path. So the by skb_checksum_none_assert() WARNS about it. This is duplicate work and updating ip_summed in the bnxt_xdp_build_skb() is not needed. Splat looks like: WARNING: CPU: 3 PID: 5782 at ./include/linux/skbuff.h:5155 bnxt_rx_pkt+0x479b/0x7610 [bnxt_en] Modules linked in: bnxt_re bnxt_en rdma_ucm rdma_cm iw_cm ib_cm ib_uverbs veth xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_] CPU: 3 UID: 0 PID: 5782 Comm: socat Tainted: G W 6.14.0-rc4+ #27 Tainted: [W]=WARN Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 RIP: 0010:bnxt_rx_pkt+0x479b/0x7610 [bnxt_en] Code: 54 24 0c 4c 89 f1 4c 89 ff c1 ea 1f ff d3 0f 1f 00 49 89 c6 48 85 c0 0f 84 4c e5 ff ff 48 89 c7 e8 ca 3d a0 c8 e9 8f f4 ff ff <0f> 0b f RSP: 0018:ffff88881ba09928 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 00000000c7590303 RCX: 0000000000000000 RDX: 1ffff1104e7d1610 RSI: 0000000000000001 RDI: ffff8881c91300b8 RBP: ffff88881ba09b28 R08: ffff888273e8b0d0 R09: ffff888273e8b070 R10: ffff888273e8b010 R11: ffff888278b0f000 R12: ffff888273e8b080 R13: ffff8881c9130e00 R14: ffff8881505d3800 R15: ffff888273e8b000 FS: 00007f5a2e7be080(0000) GS:ffff88881ba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff2e708ff8 CR3: 000000013e3b0000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? __warn+0xcd/0x2f0 ? bnxt_rx_pkt+0x479b/0x7610 ? report_bug+0x326/0x3c0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x14/0x50 ? asm_exc_invalid_op+0x16/0x20 ? bnxt_rx_pkt+0x479b/0x7610 ? bnxt_rx_pkt+0x3e41/0x7610 ? __pfx_bnxt_rx_pkt+0x10/0x10 ? napi_complete_done+0x2cf/0x7d0 __bnxt_poll_work+0x4e8/0x1220 ? __pfx___bnxt_poll_work+0x10/0x10 ? __pfx_mark_lock.part.0+0x10/0x10 bnxt_poll_p5+0x36a/0xfa0 ? __pfx_bnxt_poll_p5+0x10/0x10 __napi_poll.constprop.0+0xa0/0x440 net_rx_action+0x899/0xd00 ... Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be able to reproduce this issue.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-10	0.09%	0.02%	-0.07%
2	2026-01-26	0.03%	0.09%	+0.06%
3	2025-08-28	—	0.03%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-05-10

0.09%

0.02%

-0.07%

2026-01-26

0.03%

0.09%

+0.06%

2025-08-28

—

0.03%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.5

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

3.6

[email protected]

OS Trackers for CVE-2025-21960

vendor	priority	summary	link
`debian`	unimportant	CVE-2025-21960 unimportant priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2025-21960
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2025-21960
`suse`	medium	—	https://www.suse.com/security/cve/CVE-2025-21960/
`ubuntu`	medium	CVE-2025-21960 medium priority: Ubuntu including 150 source packages (linux, linux-allwinner-5.19, …), 1487 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1097, ignored 150, released 130, not-affected 110.	https://ubuntu.com/security/CVE-2025-21960

Affected software / configurations for CVE-2025-21960

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 5.19, < 6.1.132	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.2, < 6.6.84	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.7, < 6.12.20	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.13.8	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	6.14	cpe:2.3:o:linux:linux_kernel:6.14:rc1::::::
linux	linux_kernel	6.14	cpe:2.3:o:linux:linux_kernel:6.14:rc2::::::
linux	linux_kernel	6.14	cpe:2.3:o:linux:linux_kernel:6.14:rc3::::::
linux	linux_kernel	6.14	cpe:2.3:o:linux:linux_kernel:6.14:rc4::::::
linux	linux_kernel	6.14	cpe:2.3:o:linux:linux_kernel:6.14:rc5::::::
linux	linux_kernel	6.14	cpe:2.3:o:linux:linux_kernel:6.14:rc6::::::

References for CVE-2025-21960

URL	Tags
https://git.kernel.org/stable/c/44578bc6460b8fca530fc7bd5897c115d9bd27e2	Patch
https://git.kernel.org/stable/c/5b57ed14a1b85e7ab0074d9668a0baa6c94826c7	Patch
https://git.kernel.org/stable/c/c03e7d05aa0e2f7e9a9ce5ad8a12471a53f941dc	Patch
https://git.kernel.org/stable/c/e8e3e03d69f2420eaa578199a65d281c58867105	Patch
https://git.kernel.org/stable/c/ee086c8e775f9690282e3d26471dbcfd5dad5a6a	Patch
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

URL

CVE-2025-21960 | eth: bnxt: do not update checksum in bnxt_xdp_build_skb()

Exploit prediction scoring system (EPSS) score for CVE-2025-21960

Common vulnerability scoring system (CVSS) metrics for CVE-2025-21960

Weakness enumeration for CVE-2025-21960

OS Trackers for CVE-2025-21960

Affected software / configurations for CVE-2025-21960

References for CVE-2025-21960