CVE-2025-38246: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38246 is a vulnerability discovered in the Linux kernel related to improper flushing of XDP redirect lists in the bnxt network driver. The vulnerability was disclosed on July 9, 2025, affecting various Linux kernel versions. The issue specifically impacts the bnxt network driver's handling of XDP (eXpress Data Path) redirect functionality (NVD, Debian Tracker).

The vulnerability manifests as a list corruption bug in the Linux kernel's bnxt driver when handling XDP redirect operations. The issue causes a kernel crash with a 'list_add corruption' error, specifically showing 'next->prev should be prev' mismatch in the list handling code. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating moderate severity with local access required (Red Hat).

The vulnerability can lead to a kernel crash when the XDP_REDIRECT feature is utilized in production environments. This results in system instability and potential denial of service conditions. The crash occurs in the kernel's list handling code, specifically in lib/list_debug.c, which can disrupt normal system operations (Red Hat).

The vulnerability has been fixed in various Linux distributions. Debian has marked it as fixed in version 6.12.38-1 for sid release, while it remains vulnerable in some other versions. Red Hat has deferred fixes for Red Hat Enterprise Linux 9 and 10, while versions 6, 7, and 8 are not affected (Debian Tracker, Red Hat).