CVE-2025-38114
BaseFortify
Publication date: 2025-07-03
Last updated on: 2025-11-20
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-667 | The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a deadlock issue in the Linux kernel's e1000 network driver. It occurs because the function e1000_down calls cancel_work_sync for the e1000 reset task while holding the RTNL lock. Meanwhile, the reset task tries to take the RTNL lock again, causing a deadlock between two CPUs. The fix involves moving the cancel_work_sync call out of e1000_down to avoid this deadlock scenario.
How can this vulnerability impact me? :
This vulnerability can cause a deadlock in the Linux kernel's network driver, potentially leading to system hangs or unresponsiveness related to network device shutdown or removal. This can impact system stability and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Linux kernel to a version where the e1000 driver has been fixed to move cancel_work_sync out of e1000_down and instead call it only when the device is being removed. This avoids the deadlock scenario described. There are no specific configuration changes or workarounds mentioned other than applying the patch or updated kernel that includes this fix.