{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: hv_netvsc: Fix panic during namespace deletion with VF",
    "id" : "2393176",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2393176"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-820",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nhv_netvsc: Fix panic during namespace deletion with VF\nThe existing code move the VF NIC to new namespace when NETDEV_REGISTER is\nreceived on netvsc NIC. During deletion of the namespace,\ndefault_device_exit_batch() >> default_device_exit_net() is called. When\nnetvsc NIC is moved back and registered to the default namespace, it\nautomatically brings VF NIC back to the default namespace. This will cause\nthe default_device_exit_net() >> for_each_netdev_safe loop unable to detect\nthe list end, and hit NULL ptr:\n[  231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0\n[  231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010\n[  231.450246] #PF: supervisor read access in kernel mode\n[  231.450579] #PF: error_code(0x0000) - not-present page\n[  231.450916] PGD 17b8a8067 P4D 0\n[  231.451163] Oops: Oops: 0000 [#1] SMP NOPTI\n[  231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY\n[  231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024\n[  231.452692] Workqueue: netns cleanup_net\n[  231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0\n[  231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00\n[  231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246\n[  231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb\n[  231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564\n[  231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000\n[  231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340\n[  231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340\n[  231.457161] FS:  0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000\n[  231.457707] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0\n[  231.458434] Call Trace:\n[  231.458600]  <TASK>\n[  231.458777]  ops_undo_list+0x100/0x220\n[  231.459015]  cleanup_net+0x1b8/0x300\n[  231.459285]  process_one_work+0x184/0x340\nTo fix it, move the ns change to a workqueue, and take rtnl_lock to avoid\nchanging the netdev list when default_device_exit_net() is using it." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20095",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.8.1.el10_1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38683\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38683\nhttps://lore.kernel.org/linux-cve-announce/2025090446-CVE-2025-38683-573c@gregkh/T" ],
  "name" : "CVE-2025-38683",
  "csaw" : false
}