CVE-2025-38678: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38678 affects the Linux kernel's netfilter component, specifically the nf_tables functionality. The vulnerability was discovered and disclosed on September 3, 2025. The issue involves a chain/flowtable update with duplicated devices in the same batch, where the netdev event path only removes the first device found, leaving the hook of the duplicated device unregistered (NVD).

The vulnerability occurs in the netfilter subsystem of the Linux kernel, specifically affecting the nf_tables component. When a chain/flowtable update contains duplicated devices in the same batch, the netdev event path fails to properly handle the duplicate entries. The issue manifests as a WARNING message when unregistering the hook, with specific debug information showing the problem occurs in net/netfilter/core.c at line 340. The vulnerability has been assigned a CVSS v3 Base Score of 6.0 (Debian).

The vulnerability affects multiple Linux distributions including Debian Bullseye, Bookworm, and Trixie versions. When exploited, it can lead to improper handling of network filtering rules, potentially affecting system security and network functionality. The issue has been confirmed to affect Linux kernel versions up to 6.16.0+ (Debian).

The vulnerability has been fixed in Linux kernel version 6.16.3-1 and later. System administrators are advised to update their Linux kernel to the patched version. The fix involves adding a check for duplicated devices in the transaction batch, which will return EEXIST if such a case is detected (NVD).