CVE-2025-38020

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the fixed version

Description A vulnerability in the Linux kernel has been resolved. The issue is related to MACsec offload for uplink representor profiles. MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add offloads result in a null pointer dereference. The vulnerability can cause a general protection fault.

Recommendations For Linux kernel versions prior to the fixed version, clear the NETIF F HW MACSEC feature in the mlx5e fix uplink rep features() function to resolve the issue. As a temporary workaround, consider disabling the MACsec offload feature for uplink representor profiles until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the affected API endpoints until the issue is resolved.

Note: The provided information does not specify the exact fixed version of the Linux kernel. Therefore, it is recommended to update to the latest available version to ensure the vulnerability is resolved.