CVE-2025-39850: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-39850 is a vulnerability discovered in the Linux kernel affecting the VXLAN (Virtual Extensible LAN) implementation. The issue was disclosed on September 19, 2025, and involves a NULL pointer dereference in the {arp,neigh}_reduce() functions when using nexthop objects (NVD).

The vulnerability occurs when the 'proxy' option is enabled on a VXLAN device. The device suppresses ARP requests and IPv6 Neighbor Solicitation messages if it can reply on behalf of the remote host, specifically when a matching and valid neighbor entry is configured on the VXLAN device whose MAC address is not behind the 'any' remote (0.0.0.0 / ::). The code incorrectly assumes that the FDB entry for the neighbor's MAC address points to a valid remote destination, which is not true when the entry is associated with an FDB nexthop group (NVD).

The vulnerability results in a NULL pointer dereference in the Linux kernel, which can lead to system crashes and potential denial of service conditions. This affects systems running the vulnerable versions of the Linux kernel with VXLAN configurations (NVD).

The vulnerability has been fixed in Linux kernel version 6.12.48-1 for the Debian trixie distribution. The fix involves checking that the remote destination exists before dereferencing it. Users are recommended to upgrade their Linux packages to the patched versions (Debian Security).