CVE-2025-68197

Vulnerability

In the Linux kernel's bnxt_en driver, a null pointer dereference vulnerability exists in the bnxt_bs_trace_check_wrap() function. The issue occurs when the firmware sends an ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER event for a trace data type that has not been initialized. Without a proper guard, the driver attempts to access a magic_byte pointer that is NULL, leading to a crash [1].

Exploitation

An attacker with the ability to trigger or influence firmware events on a system using the bnxt_en driver (e.g., via malicious or older firmware) could cause the kernel to dereference a NULL pointer. No special privileges beyond local access to trigger the event are required, though the attack surface is limited to systems with Broadcom NetXtreme network adapters [1].

Impact

Successful exploitation results in a denial of service (kernel panic) due to the null pointer dereference. This can cause system instability or crash, potentially affecting availability of the host [1].

Mitigation

The fix adds a guard to check for a valid magic_byte pointer before proceeding, preventing the dereference. The patch has been applied to the Linux kernel stable tree [1]. Users should update to a kernel version containing this commit to mitigate the vulnerability.