CVE-2025-39867: 
Linux Debian vulnerability analysis and mitigation

A vulnerability in the Linux kernel's netfilter component, identified as CVE-2025-39867, was discovered and disclosed on September 23, 2025. The issue specifically affects the nftsetpipapo functionality when handling empty sets, where a null pointer dereference can occur due to an incorrect check for a null scratch map. This vulnerability is particularly relevant when AVX2 support is not available on the system (NVD).

The vulnerability stems from a broken check for a null scratch map in the netfilter code. The problematic code change replaced 'if (unlikely(!m || !rawcpuptr(m->scratch)))' with 'if (unlikely(!rawcpuptr(m->scratch)))', which incorrectly handles the validation. The correct implementation should have been 'if (!raw_...)' following the pattern used in the AVX2 version. Red Hat has assigned this vulnerability a CVSS v3 Base Score of 5.5, indicating moderate severity (Red Hat).

The vulnerability can lead to a null pointer dereference when handling empty sets in the netfilter subsystem, potentially causing system instability or crashes. This issue specifically manifests when AVX2 support is not available on the affected system (Debian).

Multiple Linux distributions have released fixes for this vulnerability. Debian has addressed this in various versions: bullseye (5.10.237-1), bookworm (6.1.153-1), and sid (6.16.8-1). The fix has also been incorporated into the mainline kernel (Debian).