CVE-2025-38683 in Linux
Summary
by MITRE • 09/04/2025
In the Linux kernel, the following vulnerability has been resolved:
hv_netvsc: Fix panic during namespace deletion with VF
The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr:
[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0
[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ 231.450246] #PF: supervisor read access in kernel mode
[ 231.450579] #PF: error_code(0x0000) - not-present page
[ 231.450916] PGD 17b8a8067 P4D 0
[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI
[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY
[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024
[ 231.452692] Workqueue: netns cleanup_net
[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0
[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00
[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246
[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb
[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564
[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000
[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340
[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340
[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000
[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0
[ 231.458434] Call Trace:
[ 231.458600] <TASK>
[ 231.458777] ops_undo_list+0x100/0x220
[ 231.459015] cleanup_net+0x1b8/0x300
[ 231.459285] process_one_work+0x184/0x340
To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid changing the netdev list when default_device_exit_net() is using it.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/10/2026
The vulnerability described in CVE-2025-38683 affects the Linux kernel's Hyper-V network virtualization subsystem, specifically within the hv_netvsc driver responsible for managing network interfaces in virtualized environments. This issue arises during namespace deletion operations involving Virtual Function (VF) network interfaces, creating a critical race condition that leads to kernel panic and system instability. The flaw manifests when a VF NIC is moved to a different network namespace and subsequently the namespace is deleted, triggering an improper cleanup sequence that results in a NULL pointer dereference.
The technical root cause lies in the improper handling of network device list traversal during namespace cleanup. When the default_device_exit_batch() function calls default_device_exit_net(), it iterates through network devices using for_each_netdev_safe() macro. However, the hv_netvsc driver's logic moves the VF NIC back to the default namespace during the NETDEV_REGISTER event, which occurs while the cleanup process is actively traversing the device list. This concurrent modification causes the iterator to lose track of the list end, leading to access of freed memory locations and ultimately a kernel NULL pointer dereference at address 0x10. The vulnerability is classified under CWE-121 as a stack-based buffer overflow, though in this case it manifests as heap corruption through improper list management.
The operational impact of this vulnerability is severe, particularly in virtualized environments where network namespaces are frequently created and destroyed. Systems running Linux kernels with affected versions could experience unexpected kernel panics, system crashes, and complete service outages during routine namespace management operations. This affects cloud platforms, containerized environments, and virtualization infrastructure where network isolation is implemented through Linux network namespaces. The vulnerability is especially dangerous in production environments where automated namespace creation/deletion processes are common, as it can lead to unavailability of critical networking services and potential data loss.
The fix implemented addresses the core race condition by moving the namespace change operation to a dedicated workqueue and acquiring the rtnl_lock during critical sections. This approach ensures that namespace modifications occur outside the context of the active netdev list traversal, preventing concurrent access conflicts. The solution follows established kernel development practices for handling concurrent data structure modifications and aligns with ATT&CK technique T1484.001 for Privilege Escalation through kernel exploitation. By serializing the namespace changes and protecting the traversal with proper locking mechanisms, the fix eliminates the conditions that lead to the NULL pointer dereference. This mitigation strategy is consistent with kernel security best practices for preventing race conditions in network subsystems and represents a robust approach to maintaining kernel stability under concurrent namespace operations. The fix has been integrated into the mainline Linux kernel and should be applied to all affected systems to prevent exploitation.