Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38440

Severity CVSS v4.0:
Pending analysis
Type:
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
25/07/2025
Last modified:
19/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix race between DIM disable and net_dim()<br /> <br /> There&amp;#39;s a race between disabling DIM and NAPI callbacks using the dim<br /> pointer on the RQ or SQ.<br /> <br /> If NAPI checks the DIM state bit and sees it still set, it assumes<br /> `rq-&gt;dim` or `sq-&gt;dim` is valid. But if DIM gets disabled right after<br /> that check, the pointer might already be set to NULL, leading to a NULL<br /> pointer dereference in net_dim().<br /> <br /> Fix this by calling `synchronize_net()` before freeing the DIM context.<br /> This ensures all in-progress NAPI callbacks are finished before the<br /> pointer is cleared.<br /> <br /> Kernel log:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> ...<br /> RIP: 0010:net_dim+0x23/0x190<br /> ...<br /> Call Trace:<br /> <br /> ? __die+0x20/0x60<br /> ? page_fault_oops+0x150/0x3e0<br /> ? common_interrupt+0xf/0xa0<br /> ? sysvec_call_function_single+0xb/0x90<br /> ? exc_page_fault+0x74/0x130<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? net_dim+0x23/0x190<br /> ? mlx5e_poll_ico_cq+0x41/0x6f0 [mlx5_core]<br /> ? sysvec_apic_timer_interrupt+0xb/0x90<br /> mlx5e_handle_rx_dim+0x92/0xd0 [mlx5_core]<br /> mlx5e_napi_poll+0x2cd/0xac0 [mlx5_core]<br /> ? mlx5e_poll_ico_cq+0xe5/0x6f0 [mlx5_core]<br /> busy_poll_stop+0xa2/0x200<br /> ? mlx5e_napi_poll+0x1d9/0xac0 [mlx5_core]<br /> ? mlx5e_trigger_irq+0x130/0x130 [mlx5_core]<br /> __napi_busy_loop+0x345/0x3b0<br /> ? sysvec_call_function_single+0xb/0x90<br /> ? asm_sysvec_call_function_single+0x16/0x20<br /> ? sysvec_apic_timer_interrupt+0xb/0x90<br /> ? pcpu_free_area+0x1e4/0x2e0<br /> napi_busy_loop+0x11/0x20<br /> xsk_recvmsg+0x10c/0x130<br /> sock_recvmsg+0x44/0x70<br /> __sys_recvfrom+0xbc/0x130<br /> ? __schedule+0x398/0x890<br /> __x64_sys_recvfrom+0x20/0x30<br /> do_syscall_64+0x4c/0x100<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> ...<br /> ---[ end trace 0000000000000000 ]---<br /> ...<br /> ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 4.70 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
4.70
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.10 (including) 6.12.39 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.15.7 (excluding)
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools