CVE-2025-38590 – A use-after-free vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2025-38590?

CVE-2025-38590 has a CVSS score of 5.5 (MEDIUM). A use-after-free vulnerability in the Linux kernel's mlx5e network driver allows a kernel crash when processing decrypted network packets. This affects systems using Mellanox network hardware with IPsec offloading enabled. The vulnerability can lead to denial of service but not privilege escalation.

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's mlx5e network driver allows a kernel crash when processing decrypted network packets. This affects systems using Mellanox network hardware with IPsec offloading enabled. The vulnerability can lead to denial of service but not privilege escalation.

💻 Affected Systems

Products:

Linux kernel with mlx5_core driver

Versions: Linux kernel versions before the fix commit 137b12a4900eb6971b889839eab6036f72cbb217

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using Mellanox ConnectX network adapters with IPsec hardware offloading enabled.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially affecting multiple systems in a cluster environment.

🟠

Likely Case

System crash or instability when processing IPsec traffic, requiring reboot to restore service.

🟢

If Mitigated

No impact if IPsec is not used or if hardware offloading is disabled.

🌐 Internet-Facing: MEDIUM - Requires IPsec traffic to be processed, which is common on internet-facing systems but exploitation requires specific conditions.

🏢 Internal Only: MEDIUM - Internal systems using IPsec for VPNs or secure communications could be affected.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to send specially crafted IPsec traffic to the vulnerable system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel with commit 137b12a4900eb6971b889839eab6036f72cbb217 or later

Vendor Advisory: https://git.kernel.org/stable/c/137b12a4900eb6971b889839eab6036f72cbb217

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commit. 2. Reboot system to load new kernel. 3. Verify kernel version with 'uname -r'.

🔧 Temporary Workarounds

Disable IPsec hardware offloading

Linux

Prevent use of vulnerable code path by disabling hardware acceleration for IPsec

ethtool -K <interface> rx-udp_tunnel-port-offload off
ethtool -K <interface> tx-udp_tunnel-port-offload off

🧯 If You Can't Patch

Disable IPsec on affected network interfaces
Implement network segmentation to limit IPsec traffic to trusted sources

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if mlx5_core driver is loaded with 'lsmod | grep mlx5' and 'ethtool -i <interface>' for Mellanox devices

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commit with 'uname -r' and check git log for commit 137b12a4900eb6971b889839eab6036f72cbb217

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages mentioning __xfrm_policy_check
System crash logs with page fault at address ffffffff000002c8

Network Indicators:

Unexpected system reboots during IPsec traffic processing

SIEM Query:

source="kernel" AND ("Oops" OR "BUG" OR "page fault") AND ("__xfrm_policy_check" OR "mlx5e")

📊 Metadata

CVE ID: CVE-2025-38590

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

EPSS Score: 0.02% exploit probability (2.6th percentile)

Published: August 19, 2025

Last Updated: November 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38590, you might also want to check these: