CVE-2025-38726 in Linuxinfo

Summary

by MITRE • 09/04/2025

In the Linux kernel, the following vulnerability has been resolved:

net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect

After the call to phy_disconnect() netdev->phydev is reset to NULL. So fixed_phy_unregister() would be called with a NULL pointer as argument. Therefore cache the phy_device before this call.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/10/2026

The vulnerability CVE-2025-38726 represents a critical NULL pointer dereference issue within the Linux kernel's network driver subsystem, specifically affecting the ftgmac100 Ethernet driver implementation. This flaw resides in the network interface controller driver responsible for managing the Faraday Technology ftgmac100 hardware, which is commonly used in embedded systems and SoC platforms. The vulnerability stems from improper handling of phy_device references during the disconnection process, creating a scenario where a NULL pointer is passed to a critical function that expects a valid device reference. The ftgmac100 driver implements the phy_disconnect() function as part of its network device cleanup operations, which is designed to properly terminate the connection between the network interface and the physical layer device. However, the sequence of operations within this driver creates a race condition or improper state management that leads to the corruption of device reference pointers.

The technical implementation flaw occurs when the ftgmac100 driver processes the phy_disconnect() operation, which is a standard function call used to gracefully terminate the connection with a physical layer device. During this process, the driver resets the netdev->phydev pointer to NULL as part of the cleanup procedure, but fails to account for the subsequent call to fixed_phy_unregister() which requires a valid phy_device argument. This fundamental error in pointer management creates a scenario where the fixed_phy_unregister() function receives a NULL parameter, leading to immediate system instability and potential kernel crashes. The issue demonstrates poor defensive programming practices where the driver does not properly cache or preserve the phy_device reference before the pointer reset operation occurs, violating standard kernel development principles for resource management and memory safety. The vulnerability directly maps to CWE-476 which identifies NULL pointer dereference as a critical weakness in software security.

The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling denial of service conditions that can affect embedded systems, network appliances, and IoT devices running Linux kernels with the affected ftgmac100 driver. Attackers could exploit this vulnerability to cause system instability, leading to complete service disruption in networked devices that rely on this driver for Ethernet connectivity. The flaw is particularly concerning in embedded environments where such devices may not have easy recovery mechanisms, potentially resulting in permanent system unavailability. Additionally, the vulnerability could be leveraged in more sophisticated attacks targeting network infrastructure devices, as the kernel crash could be used to disrupt network operations or potentially provide a foothold for further exploitation. From an ATT&CK perspective, this vulnerability aligns with techniques involving privilege escalation and denial of service, as the kernel-level NULL pointer dereference could potentially be chained with other exploits to gain elevated privileges or maintain persistent access to compromised systems.

Mitigation strategies for CVE-2025-38726 require immediate kernel updates from vendors who have addressed this specific issue in their patched versions, as the vulnerability exists at the core driver level and cannot be effectively mitigated through user-space configurations. System administrators should prioritize patching affected systems, particularly those running embedded devices or network infrastructure equipment that utilize ftgmac100 hardware. The fix implemented by kernel developers involves caching the phy_device reference before calling phy_disconnect() to ensure that fixed_phy_unregister() receives a valid argument even after the netdev->phydev pointer has been reset to NULL. This approach follows established security practices for preventing NULL pointer dereferences and represents a standard defensive programming technique. Organizations should also implement monitoring for unusual system behavior or network disruptions that could indicate exploitation attempts, while maintaining inventory records of all devices using affected hardware to ensure comprehensive patch management across their infrastructure. The vulnerability serves as a reminder of the critical importance of thorough testing and validation of driver code, particularly in kernel space where memory safety violations can lead to complete system compromise.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/04/2025

Moderation

accepted

CPE

ready

EPSS

0.00135

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!