Linux Kernel Vulnerability in IPsec Cleanup Over MPV Devices
CVE-2025-40238

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 4 December 2025

What is CVE-2025-40238?

A vulnerability in the Linux kernel causes a NULL pointer dereference during IPsec cleanup over Multi-path Virtual (MPV) devices. This issue arises when mlx5e_detach_netdev() is called, which disables blocking events notifiers. If this occurs before unregistering the devcom device, subsequent operations may attempt to use an invalid netdev, leading to a crash. This vulnerability can disrupt device operations and requires prompt attention to ensure system stability.

Affected Version(s)

Linux 82f9378c443c206d3f9e45844306e5270e7e4109 < 7e212cebc863c2c7a82f480446cd731721451691

Linux 82f9378c443c206d3f9e45844306e5270e7e4109 < 8956686d398eca6d324d2d164f9d2a281175a3a1

Linux 82f9378c443c206d3f9e45844306e5270e7e4109 < 664f76be38a18c61151d0ef248c7e2f3afb4f3c7

References

https://git.kernel.org/stable/c/7e212cebc863c2c7a82f48044...

https://git.kernel.org/stable/c/8956686d398eca6d324d2d164...

https://git.kernel.org/stable/c/664f76be38a18c61151d0ef24...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2025
Vulnerability Reserved
Apr 16, 2025

JSON