CVE-2025-38695 – A null pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2025-38695?

CVE-2025-38695 has a CVSS score of 5.5 (MEDIUM). A null pointer dereference vulnerability in the Linux kernel's lpfc SCSI driver could cause kernel panic or system crash when specific error conditions occur during Fibre Channel port initialization. This affects Linux systems using the lpfc driver for Emulex Fibre Channel host bus adapters. The vulnerability requires local access or ability to trigger the error condition.

📋 TL;DR

A null pointer dereference vulnerability in the Linux kernel's lpfc SCSI driver could cause kernel panic or system crash when specific error conditions occur during Fibre Channel port initialization. This affects Linux systems using the lpfc driver for Emulex Fibre Channel host bus adapters. The vulnerability requires local access or ability to trigger the error condition.

💻 Affected Systems

Products:

Linux kernel with lpfc driver

Versions: Linux kernel versions containing vulnerable lpfc driver code (specific versions not specified in CVE)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Emulex Fibre Channel HBAs using the lpfc driver. Requires specific error condition during port initialization.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.

🟠

Likely Case

System crash or kernel panic when specific error conditions occur during Fibre Channel adapter initialization.

🟢

If Mitigated

No impact if the error condition doesn't occur or if the system has proper kernel hardening protections.

🌐 Internet-Facing: LOW - Requires local access or ability to trigger specific hardware initialization errors.

🏢 Internal Only: MEDIUM - Could be triggered by privileged users or during system maintenance operations involving Fibre Channel adapters.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires triggering specific error conditions during hardware initialization, making reliable exploitation challenging.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel with commit 46a0602c24d7d425dd8e00c749cd64a934aac7ec or later

Vendor Advisory: https://git.kernel.org/stable/c/46a0602c24d7d425dd8e00c749cd64a934aac7ec

Restart Required: No

Instructions:

1. Update Linux kernel to version containing the fix commit 2. Rebuild kernel if using custom kernel 3. Load updated lpfc module

🔧 Temporary Workarounds

Disable lpfc driver

all

Prevent loading of vulnerable lpfc driver if Fibre Channel functionality is not required

echo 'blacklist lpfc' >> /etc/modprobe.d/blacklist.conf
rmmod lpfc

🧯 If You Can't Patch

Avoid triggering Fibre Channel adapter initialization errors
Implement kernel hardening features like KASAN to detect null pointer dereferences

🔍 How to Verify

Check if Vulnerable:

Check if system uses lpfc driver: lsmod | grep lpfc && check kernel version against patched versions

Check Version:

uname -r

Verify Fix Applied:

Verify kernel contains fix commit: git log --oneline | grep '46a0602c24d7d425dd8e00c749cd64a934aac7ec'

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
NULL pointer dereference in kernel logs
lpfc driver error messages during initialization

Network Indicators:

Fibre Channel connectivity issues

SIEM Query:

source="kernel" AND ("NULL pointer dereference" OR "kernel panic" OR "lpfc")

📊 Metadata

CVE ID: CVE-2025-38695

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.01% exploit probability (2.3th percentile)

Published: September 4, 2025

Last Updated: January 9, 2026

🔗 References

https://git.kernel.org/stable/c/46a0602c24d7d425dd8e00c749cd64a934aac7ec Patch
https://git.kernel.org/stable/c/571617f171f723b05f02d154a2e549a17eab4935 Patch
https://git.kernel.org/stable/c/5e25ee1ecec91c61a8acf938ad338399cad464de Patch
https://git.kernel.org/stable/c/6698796282e828733cde3329c887b4ae9e5545e9 Patch
https://git.kernel.org/stable/c/6711ce7e9de4eb1a541ef30638df1294ea4267f8 Patch
https://git.kernel.org/stable/c/74bdf54a847dab209d2a8f65852f59b7fa156175 Patch
https://git.kernel.org/stable/c/7925dd68807cc8fd755b04ca99e7e6f1c04392e8 Patch
https://git.kernel.org/stable/c/add68606a01dcccf18837a53e85b85caf0693b4b Patch
https://git.kernel.org/stable/c/d3f55f46bb37a8ec73bfe3cfe36e3ecfa2945dfa Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory,Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory,Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38695, you might also want to check these: