CVE-2025-68770 Overview
CVE-2025-68770 is a vulnerability in the Linux kernel's Broadcom NetXtreme-C/E (bnxt_en) network driver that affects the XDP_TX (eXpress Data Path Transmit) code path. The vulnerability stems from incorrect clearing of event flags in the bnxt_rx_xdp() function during NAPI polling loops. This improper flag handling can cause the driver to fail to ring the TX doorbell, resulting in the RX ring becoming empty and all packets being dropped.
Critical Impact
This vulnerability can cause complete network packet loss on affected interfaces due to RX ring exhaustion when XDP_TX is in use, effectively creating a denial of service condition for network traffic processing.
Affected Products
- Linux kernel with bnxt_en driver (Broadcom NetXtreme-C/E NICs)
- Systems using XDP (eXpress Data Path) with Broadcom network adapters
- Linux distributions running affected kernel versions with bnxt_en module loaded
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-68770 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68770
Vulnerability Analysis
The vulnerability exists in the XDP_TX handling within the bnxt_en driver's receive path. During NAPI polling, the __bnxt_poll_work() function calls bnxt_rx_pkt(), which in turn calls bnxt_rx_xdp(). These functions may loop multiple times within a single NAPI poll cycle, setting various event flags during different iterations.
The core issue is that when processing XDP_TX actions, the code incorrectly clears event flags that may have been set during earlier iterations of the polling loop. Specifically, if the BNXT_TX_EVENT flag was set in a previous iteration (indicating pending XDP_TX packets ready for transmission), a subsequent XDP_TX action will clear this flag. Under normal conditions, the BNXT_TX_EVENT flag would be re-set when __bnxt_xmit_xdp() is successfully called. However, if the TX ring is full and cannot accept more packets, the flag remains cleared.
This creates a state where the TX producer index has advanced but the driver will not ring the TX doorbell because it doesn't recognize there are pending transmissions. The consequence is that the RX ring associated with the TX XDP ring gradually empties as the driver refuses to refill it while it perceives there are forever-pending XDP_TX packets.
For multi-buffer XDP_TX scenarios, there was also unnecessary clearing of event flags and setting of BNXT_AGG_EVENT, when the aggregation event flag should already have been set earlier in bnxt_rx_pkt().
Root Cause
The root cause is a race condition in event flag management within the NAPI polling loop. The driver's logic for clearing and setting event flags in bnxt_rx_xdp() does not properly account for the iterative nature of NAPI polling, where multiple packets may be processed with different XDP actions in sequence. The flag clearing operation is too aggressive, wiping out state information from previous iterations that is still relevant.
Attack Vector
This is a kernel vulnerability that primarily manifests as a denial of service condition. The attack vector is local or network-based depending on the system's exposure:
- Systems using XDP programs for packet processing (load balancers, packet forwarders, DDoS mitigation) are directly affected
- The vulnerability is triggered through normal network traffic processing when XDP_TX actions are executed
- High packet rates or specific traffic patterns that cause TX ring pressure can accelerate the manifestation of the bug
- No authentication is required to trigger the condition, as it can be induced through standard network traffic
Detection Methods for CVE-2025-68770
Indicators of Compromise
- Sudden and complete packet drops on interfaces using Broadcom NetXtreme-C/E NICs with XDP
- RX ring buffer exhaustion showing zero available descriptors in ethtool -S statistics
- TX XDP ring showing non-zero pending packets that never decrease
- Network interfaces becoming unresponsive despite no hardware errors reported
Detection Strategies
- Monitor ethtool -S <interface> for rx_buf_ring_empty or similar statistics that indicate RX ring exhaustion
- Implement monitoring for XDP statistics showing TX completion failures
- Check kernel logs for bnxt_en driver warnings related to TX ring or doorbell issues
- Use BPF tracing to monitor bnxt_rx_xdp() and __bnxt_xmit_xdp() return values for anomalies
Monitoring Recommendations
- Set up alerts for sudden drops in network throughput on systems using XDP with Broadcom NICs
- Monitor NAPI polling statistics and TX completion rates for asymmetric behavior
- Implement regular health checks on XDP-enabled interfaces that verify packet flow
- Use kernel tracing (ftrace or perf) on production systems to detect flag handling anomalies
How to Mitigate CVE-2025-68770
Immediate Actions Required
- Apply the kernel patches referenced in the commit history immediately on affected systems
- If patching is not immediately possible, consider temporarily disabling XDP on affected interfaces
- Monitor affected systems closely for signs of packet loss or RX ring exhaustion
- Plan maintenance windows for kernel updates on systems running XDP workloads with Broadcom NICs
Patch Information
The fix modifies the event flag handling in bnxt_rx_xdp() to only clear BNXT_RX_EVENT when __bnxt_xmit_xdp() has been successfully called, preserving the BNXT_TX_EVENT flag state from previous iterations. Multiple patches have been committed to the stable kernel trees:
Workarounds
- Disable XDP on affected Broadcom NetXtreme-C/E interfaces until patches can be applied
- Use alternative NIC drivers or hardware for XDP workloads if possible
- Implement XDP_REDIRECT instead of XDP_TX as a temporary workaround where architecturally feasible
- Reduce TX ring pressure by tuning ring sizes or implementing rate limiting upstream
# Temporary workaround: Remove XDP program from interface
ip link set dev <interface> xdp off
# Verify XDP is disabled
ip link show dev <interface>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
