AZL-66629

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66629.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-66629

Upstream

CVE-2025-38623

Published

2025-08-22T16:15:35Z

Modified

2026-04-01T05:21:01.200024Z

Summary

CVE-2025-38623 affecting package kernel for versions less than 6.6.104.2-1

Details

In the Linux kernel, the following vulnerability has been resolved:

PCI: pnv_php: Fix surprise plug detection and recovery

The existing PowerNV hotplug code did not handle surprise plug events correctly, leading to a complete failure of the hotplug system after device removal and a required reboot to detect new devices.

This comes down to two issues:

1) When a device is surprise removed, often the bridge upstream port will cause a PE freeze on the PHB. If this freeze is not cleared, the MSI interrupts from the bridge hotplug notification logic will not be received by the kernel, stalling all plug events on all slots associated with the PE.

2) When a device is removed from a slot, regardless of surprise or programmatic removal, the associated PHB/PE ls left frozen. If this freeze is not cleared via a fundamental reset, skiboot is unable to clear the freeze and cannot retrain / rescan the slot. This also requires a reboot to clear the freeze and redetect the device in the slot.

Issue the appropriate unfreeze and rescan commands on hotplug events, and don't oops on hotplug if pcibustoOFnode() returns NULL.

[bhelgaas: tidy comments]

References

https://nvd.nist.gov/vuln/detail/CVE-2025-38623

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.104.2-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66629.json"