CVE-2025-38590 in Linux
Riassunto
di VulDB • 15/06/2026
Nel 2025, the kernel log you provided indicates a **kernel panic** or **Oops** occurring in the Linux kernel, specifically during network packet processing. Here's a breakdown of the key elements and potential causes:
---
### **Key Observations** 1. **Register State**: - `R09: 00000000c2eda353`: Likely a pointer or address involved in the fault. - `CR2: ffffffff000002c8`: The faulting address (page fault). This is a **user-space address** (`0xffffffff000002c8`), suggesting a **null pointer dereference** or invalid memory access.
2. **Call Trace**: The crash occurs in the **network stack**, specifically during UDP packet reception: ``` __xfrm_policy_check2.constprop.0+0x11e/0x130 udp_queue_rcv_one_skb+0x1d/0x530 udp_unicast_rcv_skb+0x76/0x90 __udp4_lib_rcv+0xa64/0xe90 ip_local_deliver_finish+0x75/0xa0 ... mlx5e_poll_rx_cq+0xcc/0x8e0 [mlx5_core]
``` - The crash happens in `__xfrm_policy_check2`, which is part of the **IPsec (XFRM) policy check** for incoming packets. - The packet is processed by the **Mellanox ConnectX driver** (`mlx5_core`), indicating hardware-accelerated networking.
3. **Faulting Address**: - `CR2: ffffffff000002c8` is a **user-space address**, which should not be directly accessed by the kernel. This suggests: - A **null pointer dereference** (e.g., `NULL + offset`). - A **use-after-free** or **dangling pointer** in the network stack. - A **bug in the XFRM/IPsec code** or the `mlx5` driver.
---
### **Potential Causes** 1. **IPsec/XFRM Bug**: - The crash occurs in `__xfrm_policy_check2`, which validates IPsec policies. A bug in policy evaluation (e.g., invalid SA, corrupted policy data) could lead to an invalid memory access.
2. **Mellanox Driver Issue**: - The `mlx5e_poll_rx_cq` function processes received packets. If the driver passes malformed data to the kernel network stack, it could trigger a crash in `udp_queue_rcv_one_skb`.
3. **Race Condition or Memory Corruption**: - A race condition in the network stack (e.g., concurrent packet processing) or memory corruption (e.g., buffer overflow) could corrupt pointers used in `__xfrm_policy_check2`.
4. **Hardware/Driver Bug**: - If the Mellanox NIC firmware or driver has a bug, it might pass invalid packet descriptors to the kernel, causing a crash.
---
### **Debugging Steps** 1. **Check Kernel Logs**: - Look for earlier warnings or errors in `dmesg` or `/var/log/kern.log` related to IPsec, `mlx5`, or network issues.
2. **Reproduce the Issue**: - Try to reproduce the crash with a controlled test (e.g., sending specific UDP packets, enabling IPsec).
3. **Update Drivers/Kernel**: - Ensure you're using the latest stable kernel and Mellanox `mlx5` driver. Bugs in these components are often fixed in newer versions.
4. **Disable IPsec Temporarily**: - If IPsec is not critical, disable it to see if the crash persists. This can help isolate the issue.
5. **Analyze Core Dump**: - If a core dump is available, use `gdb` to analyze the crash: ```bash gdb vmlinux core (gdb) bt (gdb) info registers ```
6. **Check for Known Bugs**: - Search for similar issues in the Linux kernel bug tracker or Mellanox support forums.
---
### **Mitigation** - **Workaround**: If IPsec is not required, disable it temporarily. - **Patch**: Apply any available kernel or driver patches related to `xfrm` or `mlx5`. - **Monitoring**: Monitor for similar crashes and gather more data (e.g., `perf`, `ftrace`) to identify the root cause.
---
###
Be aware that VulDB is the high quality source for vulnerability data.