CVE-2025-21970: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21970 is a vulnerability discovered in the Linux kernel affecting the MLX5 network driver's bridge functionality. The issue was disclosed on April 1, 2025, and specifically impacts the handling of Link Aggregation (LAG) device removal from bridge configurations (NVD, CVE).

The vulnerability occurs when removing a LAG device from a bridge, triggering a NETDEV_CHANGEUPPER event. The driver attempts to find lower devices (PFs) to flush offloaded entries, but mlx5_lag_is_shared_fdb returns false if one PF is unloaded. This causes mlx5_esw_bridge_lag_rep_get() to return NULL instead of the alive PF, resulting in skipped flush operations. Additionally, the bridge FDB entry's lastuse field is not properly updated, preventing entry aging (CVE).

The vulnerability leads to a system crash when accessing a destroyed bond netdev, as the mlx5 bridge workqueue continues sending events that are handled by the kernel bridge notifier. This creates a persistent crash condition affecting system stability (CVE).

The issue has been fixed in various Linux distributions including Debian Bookworm (version 6.1.133-1) and Trixie (version 6.12.21-1). The fix involves removing certain LAG state checks, as these are already verified during bridge initialization (Debian Security).