CVE-2025-38149

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38149
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38149.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38149
Downstream
Related
Published
2025-07-03T08:35:54Z
Modified
2025-10-18T02:48:34.873130Z
Summary
net: phy: clear phydev->devlink when the link is deleted
Details

In the Linux kernel, the following vulnerability has been resolved:

net: phy: clear phydev->devlink when the link is deleted

There is a potential crash issue when disabling and re-enabling the network port. When disabling the network port, phydetach() calls devicelinkdel() to remove the device link, but it does not clear phydev->devlink, so phydev->devlink is not a NULL pointer. Then the network port is re-enabled, but if phyattachdirect() fails before calling devicelinkadd(), the code jumps to the "error" label and calls phydetach(). Since phydev->devlink retains the old value from the previous attach/detach cycle, devicelinkdel() uses the old value, which accesses a NULL pointer and causes a crash. The simplified crash log is as follows.

[ 24.702421] Call trace: [ 24.704856] devicelinkputkref+0x20/0x120 [ 24.709124] devicelinkdel+0x30/0x48 [ 24.712864] phydetach+0x24/0x168 [ 24.716261] phyattachdirect+0x168/0x3a4 [ 24.720352] phylinkfwnodephyconnect+0xc8/0x14c [ 24.725140] phylinkofphyconnect+0x1c/0x34

Therefore, phydev->devlink needs to be cleared when the device link is deleted.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bc66fa87d4fda9053a8145e5718fc278c2b88253
Fixed
363fdf2777423ad346d781f09548cca14877f729
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bc66fa87d4fda9053a8145e5718fc278c2b88253
Fixed
ddc654e89ace723b78c34911c65243accbc9b75c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bc66fa87d4fda9053a8145e5718fc278c2b88253
Fixed
034bc4a2a72dea2cfcaf24c6bae03c38ad5a0b87
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bc66fa87d4fda9053a8145e5718fc278c2b88253
Fixed
0795b05a59b1371b18ffbf09d385296b12e9f5d5

Affected versions

v6.*

v6.1
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.8
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.89
v6.6.9
v6.6.90
v6.6.91
v6.6.92
v6.6.93
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0795b05a59b1371b18ffbf09d385296b12e9f5d5",
        "id": "CVE-2025-38149-2fcd9bb7",
        "digest": {
            "function_hash": "41184935385523338133506102247773819017",
            "length": 1167.0
        },
        "target": {
            "function": "phy_detach",
            "file": "drivers/net/phy/phy_device.c"
        }
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@363fdf2777423ad346d781f09548cca14877f729",
        "id": "CVE-2025-38149-415bb32c",
        "digest": {
            "function_hash": "107691690081012089657478851297775593100",
            "length": 991.0
        },
        "target": {
            "function": "phy_detach",
            "file": "drivers/net/phy/phy_device.c"
        }
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ddc654e89ace723b78c34911c65243accbc9b75c",
        "id": "CVE-2025-38149-878b88a6",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "206290309524835746854512572148661072638",
                "339554857702093977677595550276163989517",
                "58500435448095213588232761298546402788",
                "290932292285073598910739650801495861365",
                "10027520929316782148643333278732002109"
            ]
        },
        "target": {
            "file": "drivers/net/phy/phy_device.c"
        }
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@034bc4a2a72dea2cfcaf24c6bae03c38ad5a0b87",
        "id": "CVE-2025-38149-94b1994f",
        "digest": {
            "function_hash": "41184935385523338133506102247773819017",
            "length": 1167.0
        },
        "target": {
            "function": "phy_detach",
            "file": "drivers/net/phy/phy_device.c"
        }
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@363fdf2777423ad346d781f09548cca14877f729",
        "id": "CVE-2025-38149-bbd788a6",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "206290309524835746854512572148661072638",
                "339554857702093977677595550276163989517",
                "58500435448095213588232761298546402788",
                "290932292285073598910739650801495861365",
                "10027520929316782148643333278732002109"
            ]
        },
        "target": {
            "file": "drivers/net/phy/phy_device.c"
        }
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ddc654e89ace723b78c34911c65243accbc9b75c",
        "id": "CVE-2025-38149-c2254378",
        "digest": {
            "function_hash": "312579510071577982462141742469346143550",
            "length": 1018.0
        },
        "target": {
            "function": "phy_detach",
            "file": "drivers/net/phy/phy_device.c"
        }
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0795b05a59b1371b18ffbf09d385296b12e9f5d5",
        "id": "CVE-2025-38149-d8156c2f",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "206290309524835746854512572148661072638",
                "339554857702093977677595550276163989517",
                "58500435448095213588232761298546402788",
                "290932292285073598910739650801495861365",
                "10027520929316782148643333278732002109"
            ]
        },
        "target": {
            "file": "drivers/net/phy/phy_device.c"
        }
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@034bc4a2a72dea2cfcaf24c6bae03c38ad5a0b87",
        "id": "CVE-2025-38149-e4439ebc",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "206290309524835746854512572148661072638",
                "339554857702093977677595550276163989517",
                "58500435448095213588232761298546402788",
                "290932292285073598910739650801495861365",
                "10027520929316782148643333278732002109"
            ]
        },
        "target": {
            "file": "drivers/net/phy/phy_device.c"
        }
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.94
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.34
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.3