CVE-2025-38149

EPSS 0.03%
Published 03.07.2025 08:35:54
Last modified 03.07.2025 15:13:53
Source 416baaa9-dc9f-4396-8d5f-8c081f
Teams watchlist Login
Open Login

In the Linux kernel, the following vulnerability has been resolved:

net: phy: clear phydev->devlink when the link is deleted

There is a potential crash issue when disabling and re-enabling the
network port. When disabling the network port, phy_detach() calls
device_link_del() to remove the device link, but it does not clear
phydev->devlink, so phydev->devlink is not a NULL pointer. Then the
network port is re-enabled, but if phy_attach_direct() fails before
calling device_link_add(), the code jumps to the "error" label and
calls phy_detach(). Since phydev->devlink retains the old value from
the previous attach/detach cycle, device_link_del() uses the old value,
which accesses a NULL pointer and causes a crash. The simplified crash
log is as follows.

[   24.702421] Call trace:
[   24.704856]  device_link_put_kref+0x20/0x120
[   24.709124]  device_link_del+0x30/0x48
[   24.712864]  phy_detach+0x24/0x168
[   24.716261]  phy_attach_direct+0x168/0x3a4
[   24.720352]  phylink_fwnode_phy_connect+0xc8/0x14c
[   24.725140]  phylink_of_phy_connect+0x1c/0x34

Therefore, phydev->devlink needs to be cleared when the device link is
deleted.

Affected products Warnungen 0 Metrics 1 CWE 0 References 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorLinux

≫

Product Linux

Default Statusunaffected

Version < 363fdf2777423ad346d781f09548cca14877f729

Version bc66fa87d4fda9053a8145e5718fc278c2b88253

Status affected

Version < ddc654e89ace723b78c34911c65243accbc9b75c

Version bc66fa87d4fda9053a8145e5718fc278c2b88253

Status affected

Version < 034bc4a2a72dea2cfcaf24c6bae03c38ad5a0b87

Version bc66fa87d4fda9053a8145e5718fc278c2b88253

Status affected

Version < 0795b05a59b1371b18ffbf09d385296b12e9f5d5

Version bc66fa87d4fda9053a8145e5718fc278c2b88253

Status affected

VendorLinux

≫

Product Linux

Default Statusaffected

Version 6.2

Status affected

Version < 6.2

Version 0

Status unaffected

Version <= 6.6.*

Version 6.6.94

Status unaffected

Version <= 6.12.*

Version 6.12.34

Status unaffected

Version <= 6.15.*

Version 6.15.3

Status unaffected

Version <= *

Version 6.16

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.057

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string

https://git.kernel.org/stable/c/363fdf2777423ad346d781f09548cca14877f729

https://git.kernel.org/stable/c/ddc654e89ace723b78c34911c65243accbc9b75c

https://git.kernel.org/stable/c/034bc4a2a72dea2cfcaf24c6bae03c38ad5a0b87

https://git.kernel.org/stable/c/0795b05a59b1371b18ffbf09d385296b12e9f5d5

https://nvd.nist.gov/vuln/detail/CVE-2025-38149

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-38149

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-38149

EUVD