CVE-2025-38186 – A double-free vulnerability in the Linux kernel... (How to Fix)

Q: What is the severity of CVE-2025-38186?

CVE-2025-38186 has a CVSS score of 5.5 (MEDIUM). A double-free vulnerability in the Linux kernel's bnxt_en driver allows local attackers to cause a kernel panic (denial of service) by triggering multiple suspend operations on RoCE interfaces. This affects systems using Broadcom NetXtreme-E network adapters with RDMA over Converged Ethernet (RoCE) enabled.

📋 TL;DR

A double-free vulnerability in the Linux kernel's bnxt_en driver allows local attackers to cause a kernel panic (denial of service) by triggering multiple suspend operations on RoCE interfaces. This affects systems using Broadcom NetXtreme-E network adapters with RDMA over Converged Ethernet (RoCE) enabled.

💻 Affected Systems

Products:

Linux kernel with bnxt_en driver

Versions: Linux kernel versions containing commit that introduced the bug up to versions with fixes

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using Broadcom NetXtreme-E adapters with RoCE functionality enabled. Systems without these adapters or with RoCE disabled are not affected.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and complete denial of service, requiring physical or remote console access to reboot.

🟠

Likely Case

System crash when specific driver operations are performed, requiring reboot to restore functionality.

🟢

If Mitigated

No impact if RoCE is disabled or the vulnerable driver functions aren't triggered.

🌐 Internet-Facing: LOW - Requires local access or ability to trigger specific driver operations.

🏢 Internal Only: MEDIUM - Local attackers or misconfigured applications could trigger the crash on affected systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and ability to trigger specific driver suspend/resume operations. The crash occurs when bnxt_ulp_stop() is called twice, which could be triggered through driver error conditions or specific system operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: 1e9ac33fa271be0d2480fd732f9642d81542500b, 6f2cd309492924b8afd2c62aebff815c1119d124, cca4ffd4a5b768752b91f6f75d77928e47886913

Vendor Advisory: https://git.kernel.org/stable/c/1e9ac33fa271be0d2480fd732f9642d81542500b

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify bnxt_en driver version matches patched kernel.

🔧 Temporary Workarounds

Disable RoCE functionality

linux

Disable RDMA over Converged Ethernet on Broadcom NetXtreme-E adapters

modprobe -r bnxt_re
echo 'blacklist bnxt_re' > /etc/modprobe.d/disable-bnxt-re.conf

Unload bnxt_en driver

linux

Remove the vulnerable driver module (will disable network functionality)

modprobe -r bnxt_en

🧯 If You Can't Patch

Monitor system logs for kernel panic messages related to bnxt_re_suspend
Restrict local access to systems with vulnerable configurations

🔍 How to Verify

Check if Vulnerable:

Check if bnxt_en driver is loaded and RoCE is enabled: lsmod | grep -E 'bnxt_en|bnxt_re'

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes fix commits or verify bnxt_en driver doesn't crash during suspend/resume operations

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages containing 'bnxt_re_suspend'
NULL pointer dereference at address 0000000000000b78
Oops messages mentioning bnxt_en or bnxt_re modules

Network Indicators:

Sudden loss of network connectivity on affected interfaces
RoCE service disruptions

SIEM Query:

event_source="kernel" AND (message CONTAINS "bnxt_re_suspend" OR message CONTAINS "bnxt_en" AND message CONTAINS "Oops" OR message CONTAINS "NULL pointer")

📊 Metadata

CVE ID: CVE-2025-38186

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-415

EPSS Score: 0.01% exploit probability (2th percentile)

Published: July 4, 2025

Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38186, you might also want to check these: