CVE-2025-38283
BaseFortify
Publication date: 2025-07-10
Last updated on: 2025-11-19
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's hisi_acc_vfio_pci component related to live migration of virtual machines (VMs). If the virtual function (VF) device driver is not loaded in the Guest OS, attempting to migrate device data results in a NULL address for the migrated data. During live migration recovery on the destination side, accessing this NULL address causes access errors. The fix ensures that live migration of VMs without VF device drivers does not attempt device data migration, and if the queue address data is empty, device queue recovery is skipped.
How can this vulnerability impact me? :
This vulnerability can cause access errors during live migration of virtual machines if the VF device driver is not loaded in the Guest OS. This may lead to migration failures or instability in the VM migration process, potentially disrupting services relying on VM live migration.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the VF (Virtual Function) device driver is loaded in the Guest OS before performing live migration. Avoid performing device data migration during live migration if the VF device driver is not loaded. Additionally, verify that the live migration process handles empty queue address data correctly to prevent device queue recovery processing errors.