PT-2025-49065 · Linux+3 · Linux Kernel+3

Published

2025-10-22

·

Updated

2026-05-07

·

CVE-2025-40238

CVSS v2.0

3.8

Low

VectorAV:L/AC:H/Au:S/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.12.0-rc6 for upstream min debug 2024 11 08 00 46
Description The Linux kernel contains a flaw within the mlx5 network driver related to IPsec cleanup over MPV devices. Specifically, the issue arises during the mlx5e detach netdev() process, where blocking events are disabled without first properly unregistering the devcom device and marking device operations as complete. This can lead to invalid netdev usage during subsequent devcom events, potentially resulting in a kernel NULL pointer dereference. The vulnerability is triggered when handling IPsec MPV events from IB to core.
Recommendations Upgrade to Linux kernel version 6.12.0-rc6 for upstream min debug 2024 11 08 00 46 or a later version that includes the fix.

Exploit

Fix

Time Of Check To Time Of Use

Weakness Enumeration

CWE-367

Related Identifiers

BDU:2026-02939
CVE-2025-40238
OPENSUSE-SU-2026:20145-1
SUSE-SU-2026:0447-1
SUSE-SU-2026:0472-1
SUSE-SU-2026:0587-1
SUSE-SU-2026:20207-1
SUSE-SU-2026:20220-1
SUSE-SU-2026:20228-1
SUSE-SU-2026:20477-1
SUSE-SU-2026:20498-1
SUSE-SU-2026:20845-1
SUSE-SU-2026:20876-1
USN-8029-1
USN-8029-2
USN-8029-3
USN-8030-1
USN-8048-1
USN-8095-1
USN-8095-2
USN-8095-3
USN-8095-4
USN-8095-5
USN-8100-1
USN-8125-1
USN-8126-1
USN-8165-1
USN-8261-1

Affected Products

Linuxmint
Linux Kernel
Ubuntu
Mlx5