GHSA-7WXG-2396-HR4X
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-01-08 18:30In the Linux kernel, the following vulnerability has been resolved:
gve: prevent ethtool ops after shutdown
A crash can occur if an ethtool operation is invoked after shutdown() is called.
shutdown() is invoked during system shutdown to stop DMA operations without performing expensive deallocations. It is discouraged to unregister the netdev in this path, so the device may still be visible to userspace and kernel helpers.
In gve, shutdown() tears down most internal data structures. If an ethtool operation is dispatched after shutdown(), it will dereference freed or NULL pointers, leading to a kernel panic. While graceful shutdown normally quiesces userspace before invoking the reboot syscall, forced shutdowns (as observed on GCP VMs) can still trigger this path.
Fix by calling netif_device_detach() in shutdown(). This marks the device as detached so the ethtool ioctl handler will skip dispatching operations to the driver.
{
"affected": [],
"aliases": [
"CVE-2025-38735"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T18:15:42Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: prevent ethtool ops after shutdown\n\nA crash can occur if an ethtool operation is invoked\nafter shutdown() is called.\n\nshutdown() is invoked during system shutdown to stop DMA operations\nwithout performing expensive deallocations. It is discouraged to\nunregister the netdev in this path, so the device may still be visible\nto userspace and kernel helpers.\n\nIn gve, shutdown() tears down most internal data structures. If an\nethtool operation is dispatched after shutdown(), it will dereference\nfreed or NULL pointers, leading to a kernel panic. While graceful\nshutdown normally quiesces userspace before invoking the reboot\nsyscall, forced shutdowns (as observed on GCP VMs) can still trigger\nthis path.\n\nFix by calling netif_device_detach() in shutdown().\nThis marks the device as detached so the ethtool ioctl handler\nwill skip dispatching operations to the driver.",
"id": "GHSA-7wxg-2396-hr4x",
"modified": "2026-01-08T18:30:27Z",
"published": "2025-09-05T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38735"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/48a4e89d50e8ea52e800bc7865970b92fcf4647c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/75a9a46d67f46d608205888f9b34e315c1786345"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9d8a41e9a4ff83ff666de811e7f012167cdc00e9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a7efffeecb881b4649fdc30de020ef910f35d646"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ba51d73408edf815cbaeab148625576c2dd90192"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.