{"id":"AZL-71030","summary":"CVE-2025-38590 affecting package kernel 5.15.200.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Remove skb secpath if xfrm state is not found\n\nHardware returns a unique identifier for a decrypted packet's xfrm\nstate, this state is looked up in an xarray. However, the state might\nhave been freed by the time of this lookup.\n\nCurrently, if the state is not found, only a counter is incremented.\nThe secpath (sp) extension on the skb is not removed, resulting in\nsp-\u003elen becoming 0.\n\nSubsequently, functions like __xfrm_policy_check() attempt to access\nfields such as xfrm_input_state(skb)-\u003exso.type (which dereferences\nsp-\u003exvec[sp-\u003elen - 1]) without first validating sp-\u003elen. This leads to\na crash when dereferencing an invalid state pointer.\n\nThis patch prevents the crash by explicitly removing the secpath\nextension from the skb if the xfrm state is not found after hardware\ndecryption. This ensures downstream functions do not operate on a\nzero-length secpath.\n\n BUG: unable to handle page fault for address: ffffffff000002c8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 282e067 P4D 282e067 PUD 0\n Oops: Oops: 0000 [#1] SMP\n CPU: 12 UID: 0 PID: 0 Comm: swapper/12 Not tainted 6.15.0-rc7_for_upstream_min_debug_2025_05_27_22_44 #1 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__xfrm_policy_check+0x61a/0xa30\n Code: b6 77 7f 83 e6 02 74 14 4d 8b af d8 00 00 00 41 0f b6 45 05 c1 e0 03 48 98 49 01 c5 41 8b 45 00 83 e8 01 48 98 49 8b 44 c5 10 \u003c0f\u003e b6 80 c8 02 00 00 83 e0 0c 3c 04 0f 84 0c 02 00 00 31 ff 80 fa\n RSP: 0018:ffff88885fb04918 EFLAGS: 00010297\n RAX: ffffffff00000000 RBX: 0000000000000002 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000000\n RBP: ffffffff8311af80 R08: 0000000000000020 R09: 00000000c2eda353\n R10: ffff88812be2bbc8 R11: 000000001faab533 R12: ffff88885fb049c8\n R13: ffff88812be2bbc8 R14: 0000000000000000 R15: ffff88811896ae00\n FS:  0000000000000000(0000) GS:ffff8888dca82000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff000002c8 CR3: 0000000243050002 CR4: 0000000000372eb0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  \u003cIRQ\u003e\n  ? try_to_wake_up+0x108/0x4c0\n  ? udp4_lib_lookup2+0xbe/0x150\n  ? udp_lib_lport_inuse+0x100/0x100\n  ? __udp4_lib_lookup+0x2b0/0x410\n  __xfrm_policy_check2.constprop.0+0x11e/0x130\n  udp_queue_rcv_one_skb+0x1d/0x530\n  udp_unicast_rcv_skb+0x76/0x90\n  __udp4_lib_rcv+0xa64/0xe90\n  ip_protocol_deliver_rcu+0x20/0x130\n  ip_local_deliver_finish+0x75/0xa0\n  ip_local_deliver+0xc1/0xd0\n  ? ip_protocol_deliver_rcu+0x130/0x130\n  ip_sublist_rcv+0x1f9/0x240\n  ? ip_rcv_finish_core+0x430/0x430\n  ip_list_rcv+0xfc/0x130\n  __netif_receive_skb_list_core+0x181/0x1e0\n  netif_receive_skb_list_internal+0x200/0x360\n  ? mlx5e_build_rx_skb+0x1bc/0xda0 [mlx5_core]\n  gro_receive_skb+0xfd/0x210\n  mlx5e_handle_rx_cqe_mpwrq+0x141/0x280 [mlx5_core]\n  mlx5e_poll_rx_cq+0xcc/0x8e0 [mlx5_core]\n  ? mlx5e_handle_rx_dim+0x91/0xd0 [mlx5_core]\n  mlx5e_napi_poll+0x114/0xab0 [mlx5_core]\n  __napi_poll+0x25/0x170\n  net_rx_action+0x32d/0x3a0\n  ? mlx5_eq_comp_int+0x8d/0x280 [mlx5_core]\n  ? notifier_call_chain+0x33/0xa0\n  handle_softirqs+0xda/0x250\n  irq_exit_rcu+0x6d/0xc0\n  common_interrupt+0x81/0xa0\n  \u003c/IRQ\u003e","modified":"2026-04-01T05:22:30.610913Z","published":"2025-08-19T17:15:36Z","upstream":["CVE-2025-38590"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38590"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"5.15.200.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-71030.json"}}],"schema_version":"1.7.5"}