CVE-2025-21674: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21674 affects the Linux kernel's IPsec tunnel functionality in the net/mlx5e subsystem. The vulnerability was discovered on January 31, 2025, and involves an inversion dependency warning that occurs when enabling IPsec packet offload in tunnel mode. The issue affects Linux kernel versions from 6.4 up to (excluding) 6.6.74, from 6.7 up to (excluding) 6.12.11, and version 6.13 release candidates (NVD).

The vulnerability stems from two specific issues in the kernel's IPsec implementation: 1) In the SA (Security Association) add section, the code should use _bh() variant when marking SA mode, and 2) There is an unnecessary flush_workqueue in the SA delete routine. The issue manifests as a SOFTIRQ-safe to SOFTIRQ-unsafe lock order detection, potentially leading to deadlock scenarios. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and is classified as CWE-667 (Improper Locking) (NVD, Kernel Patch).

The vulnerability can cause a kernel panic when attempting to enable IPsec packet offload in tunnel mode in debug kernel configurations. This affects system stability and availability, particularly in environments using IPsec tunneling with the affected network drivers (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves modifying the lock handling in the IPsec implementation by using proper _bh() variant for SA mode marking and removing unnecessary flush_workqueue calls. System administrators should update to patched kernel versions that include the fix (Kernel Patch).