What is CVE-2025-39980?

In the Linux kernel, the following vulnerability has been resolved:

nexthop: Forbid FDB status change while nexthop is in a group

The kernel forbids the creation of non-FDB nexthop groups with FDB nexthops:

ip nexthop add id 1 via 192.0.2.1 fdb

ip nexthop add id 2 group 1

Error: Non FDB nexthop group cannot have fdb nexthops.

And vice versa:

ip nexthop add id 3 via 192.0.2.2 dev dummy1

ip nexthop add id 4 group 3 fdb

Error: FDB nexthop group can only have fdb nexthops.

However, as long as no routes are pointing to a non-FDB nexthop group, the kernel allows changing the type of a nexthop from FDB to non-FDB and vice versa:

ip nexthop add id 5 via 192.0.2.2 dev dummy1

ip nexthop add id 6 group 5

ip nexthop replace id 5 via 192.0.2.2 fdb

echo $?

0

This configuration is invalid and can result in a NPD [1] since FDB nexthops are not associated with a nexthop device:

ip route add 198.51.100.1/32 nhid 6

ping 198.51.100.1

Fix by preventing nexthop FDB status change while the nexthop is in a group:

ip nexthop add id 7 via 192.0.2.2 dev dummy1

ip nexthop add id 8 group 7

ip nexthop replace id 7 via 192.0.2.2 fdb

Error: Cannot change nexthop FDB status while in a group.

[1] BUG: kernel NULL pointer dereference, address: 00000000000003c0 [...] Oops: Oops: 0000 [#1] SMP CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 RIP: 0010:fib_lookup_good_nhc+0x1e/0x80 [...] Call Trace: fib_table_lookup+0x541/0x650 ip_route_output_key_hash_rcu+0x2ea/0x970 ip_route_output_key_hash+0x55/0x80 __ip4_datagram_connect+0x250/0x330 udp_connect+0x2b/0x60 __sys_connect+0x9c/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0xa4/0x2a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

References