CVE-2025-39894

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm<br /> <br /> When send a broadcast packet to a tap device, which was added to a bridge,<br /> br_nf_local_in() is called to confirm the conntrack. If another conntrack<br /> with the same hash value is added to the hash table, which can be<br /> triggered by a normal packet to a non-bridge device, the below warning<br /> may happen.<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200<br /> CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)<br /> RIP: 0010:br_nf_local_in+0x168/0x200<br /> Call Trace:<br /> <br /> nf_hook_slow+0x3e/0xf0<br /> br_pass_frame_up+0x103/0x180<br /> br_handle_frame_finish+0x2de/0x5b0<br /> br_nf_hook_thresh+0xc0/0x120<br /> br_nf_pre_routing_finish+0x168/0x3a0<br /> br_nf_pre_routing+0x237/0x5e0<br /> br_handle_frame+0x1ec/0x3c0<br /> __netif_receive_skb_core+0x225/0x1210<br /> __netif_receive_skb_one_core+0x37/0xa0<br /> netif_receive_skb+0x36/0x160<br /> tun_get_user+0xa54/0x10c0<br /> tun_chr_write_iter+0x65/0xb0<br /> vfs_write+0x305/0x410<br /> ksys_write+0x60/0xd0<br /> do_syscall_64+0xa4/0x260<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> <br /> To solve the hash conflict, nf_ct_resolve_clash() try to merge the<br /> conntracks, and update skb-&gt;_nfct. However, br_nf_local_in() still use the<br /> old ct from local variable &amp;#39;nfct&amp;#39; after confirm(), which leads to this<br /> warning.<br /> <br /> If confirm() does not insert the conntrack entry and return NF_DROP, the<br /> warning may also occur. There is no need to reserve the WARN_ON_ONCE, just<br /> remove it.