CVE-2025-38373 – A deadlock vulnerability in the Linux kernel's ... (How to Fix)

Q: What is the severity of CVE-2025-38373?

CVE-2025-38373 has a CVSS score of 5.5 (MEDIUM). A deadlock vulnerability in the Linux kernel's InfiniBand mlx5 driver can cause system hangs when memory reclamation triggers during MR deregistration. This affects systems using Mellanox InfiniBand hardware with the mlx5 driver. The vulnerability requires local access to trigger.

📋 TL;DR

A deadlock vulnerability in the Linux kernel's InfiniBand mlx5 driver can cause system hangs when memory reclamation triggers during MR deregistration. This affects systems using Mellanox InfiniBand hardware with the mlx5 driver. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:

Linux kernel with mlx5 InfiniBand driver

Versions: Specific kernel versions containing the vulnerable code (check git commits for exact ranges)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Mellanox InfiniBand hardware using the mlx5 driver. Requires ODP (On-Demand Paging) functionality.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system deadlock requiring hard reboot, causing denial of service to all applications and potential data loss.

🟠

Likely Case

System hang affecting specific processes using InfiniBand, requiring intervention to restore functionality.

🟢

If Mitigated

No impact if proper kernel patches are applied or if system doesn't use affected InfiniBand hardware/driver.

🌐 Internet-Facing: LOW - Requires local access to trigger, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local users or processes could trigger deadlock, affecting system stability and availability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to trigger specific memory allocation patterns during MR deregistration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits 2ed25aa7f7711f508b6120e336f05cd9d49943c0, 727eb1be65a370572edf307558ec3396b8573156, beb89ada5715e7bd1518c58863eedce89ec051a7

Vendor Advisory: https://git.kernel.org/stable/c/2ed25aa7f7711f508b6120e336f05cd9d49943c0

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.

🔧 Temporary Workarounds

Disable ODP functionality

linux

Disable On-Demand Paging for mlx5 driver to avoid the deadlock path

echo 0 > /sys/class/infiniband/mlx5_*/odp/enable

🧯 If You Can't Patch

Restrict local user access to systems with affected hardware
Monitor system for deadlock conditions and have reboot procedures ready

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if mlx5 InfiniBand driver is loaded: lsmod | grep mlx5

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits and test InfiniBand functionality

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
System hang reports
Process deadlock warnings in dmesg

Network Indicators:

InfiniBand connectivity loss
High-performance computing job failures

SIEM Query:

Search for kernel panic events or system hang alerts related to mlx5 driver

📊 Metadata

CVE ID: CVE-2025-38373

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-667

EPSS Score: 0.01% exploit probability (0.9th percentile)

Published: July 25, 2025

Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38373, you might also want to check these: