CVE-2025-38109: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38109 was discovered and disclosed on July 3, 2025, affecting the Linux kernel. The vulnerability involves a use-after-free (UAF) condition in the net/mlx5 subsystem, specifically related to ECVF vports unload during the shutdown flow when a virtual function is created on the embedded chip (ECVF) of a BlueField device (NVD).

The vulnerability occurs when the vport ACL ingress table is not properly destroyed during shutdown. The ECVF functionality operates independently of the ecpfvportexists capability, which affects the mlx5eswitch(enable|disable)pfvfvports() functions. The issue manifests as a refcountt underflow leading to a use-after-free condition, as evidenced by kernel warnings and stack traces (CVE).

The vulnerability affects multiple Linux distributions and versions, including Ubuntu 25.04, 24.04 LTS, and 22.04 LTS, as well as various kernel flavors such as linux-aws, linux-azure, and linux-gcp. The issue could potentially lead to system instability or crashes during shutdown procedures (Ubuntu).

The vulnerability has been fixed in the Linux kernel through patches that properly handle the destruction of vport ACL ingress tables during shutdown. Multiple distributions have marked this for security updates, with some already providing fixed packages in their repositories (Ubuntu).