CVE-2025-37959: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37959 is a vulnerability in the Linux kernel related to packet handling during network namespace transitions, discovered and disclosed on May 20, 2025. The vulnerability affects the bpfredirectpeer functionality when redirecting packets between network namespaces (NVD Database, Wiz Report).

The vulnerability occurs when bpfredirectpeer is used to redirect packets to a device in another network namespace, where the socket buffer (skb) isn't properly scrubbed. This leads to skb information from one namespace potentially being misused in another namespace. The issue particularly affects scenarios involving IPsec decryption, where XFRM state information persists across namespace transitions (Wiz Report).

The vulnerability can cause traffic disruption in containerized environments, particularly affecting systems using Cilium for network management. When packets are redirected after IPsec decryption to a container namespace, they are incorrectly dropped due to mismatched XFRM states between namespaces (Wiz Report).

The issue has been resolved by implementing packet scrubbing when using bpfredirectpeer, similar to the approach used in typical netns switches via veth devices. The fix maintains the skb->mark and skb->tstamp values while scrubbing other potentially problematic information. For the Debian stable distribution (bookworm), these problems have been fixed in version 6.1.140-1 (Debian Security).