CVE-2025-38127 in Linuxinfo

Summary

by MITRE • 07/03/2025

In the Linux kernel, the following vulnerability has been resolved:

ice: fix Tx scheduler error handling in XDP callback

When the XDP program is loaded, the XDP callback adds new Tx queues. This means that the callback must update the Tx scheduler with the new queue number. In the event of a Tx scheduler failure, the XDP callback should also fail and roll back any changes previously made for XDP preparation.

The previous implementation had a bug that not all changes made by the XDP callback were rolled back. This caused the crash with the following call trace:

[ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5
[ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI
[ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary)
[ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022
[ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice]

[...]

[ +0.002715] Call Trace:
[ +0.002452] <IRQ>
[ +0.002021] ? __die_body.cold+0x19/0x29
[ +0.003922] ? die_addr+0x3c/0x60
[ +0.003319] ? exc_general_protection+0x17c/0x400
[ +0.004707] ? asm_exc_general_protection+0x26/0x30
[ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice]
[ +0.004835] ice_napi_poll+0x665/0x680 [ice]
[ +0.004320] __napi_poll+0x28/0x190
[ +0.003500] net_rx_action+0x198/0x360
[ +0.003752] ? update_rq_clock+0x39/0x220
[ +0.004013] handle_softirqs+0xf1/0x340
[ +0.003840] ? sched_clock_cpu+0xf/0x1f0
[ +0.003925] __irq_exit_rcu+0xc2/0xe0
[ +0.003665] common_interrupt+0x85/0xa0
[ +0.003839] </IRQ>
[ +0.002098] <TASK>
[ +0.002106] asm_common_interrupt+0x26/0x40
[ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690

Fix this by performing the missing unmapping of XDP queues from q_vectors and setting the XDP rings pointer back to NULL after all those queues are released. Also, add an immediate exit from the XDP callback in case of ring preparation failure.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/18/2026

The vulnerability CVE-2025-38127 affects the Linux kernel's Intel Ethernet driver implementation, specifically within the ice driver module responsible for managing Intel Ethernet network adapters. This issue manifests as a critical system crash occurring during the execution of XDP (eXpress Data Path) programs, which are used for high-performance packet processing in kernel space. The flaw exists in the transactional handling of Tx (transmit) scheduler updates when XDP programs are loaded, creating a scenario where partial state modifications can persist even when the overall operation fails.

The technical root cause stems from incomplete rollback mechanisms within the XDP callback function that manages the addition of new Tx queues. When the Tx scheduler fails during queue configuration, the system should revert all preparatory changes made by the XDP callback to maintain system stability. However, the previous implementation failed to properly clean up all allocated resources, particularly leaving XDP queues mapped to q_vectors and retaining pointers to XDP rings in an inconsistent state. This partial cleanup leads to memory corruption and subsequent general protection faults when the kernel attempts to access freed or improperly configured resources during normal network processing operations.

The operational impact of this vulnerability is severe as it can result in complete system crashes and kernel panics, particularly affecting systems running with XDP-enabled network configurations. The crash occurs during the ice_napi_poll function execution, indicating that the fault manifests when the network driver's polling mechanism attempts to process packets after a failed XDP operation. The specific call trace shows the fault originating from __ice_update_sample function, which suggests that the corrupted state affects the driver's ability to maintain proper sample data structures during network processing. This vulnerability affects systems using Intel Ethernet adapters with the ice driver, particularly those implementing XDP for high-performance packet processing scenarios.

The fix implemented addresses the root cause by ensuring complete rollback of all XDP-related resources when failures occur. The solution involves explicitly unmapping XDP queues from q_vectors and setting the XDP rings pointer back to NULL after releasing all associated queues, thereby preventing the corruption of system state. Additionally, the implementation adds immediate exit conditions from the XDP callback when ring preparation fails, preventing further execution that could compound the error state. This remediation follows established security practices for transactional resource management and aligns with CWE-755 (Improper Handling of Exceptional Conditions) and ATT&CK technique T1490 (Inhibit System Recovery) by preventing the propagation of error states that could lead to system instability. The fix ensures that all changes made during XDP callback execution are properly reverted on failure, maintaining kernel integrity and preventing the general protection faults that would otherwise occur during subsequent network processing operations.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/03/2025

Moderation

accepted

CPE

ready

EPSS

0.00157

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!