CVE-2025-38272: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38272 is a vulnerability discovered in the Linux kernel affecting the network subsystem, specifically related to the DSA (Distributed Switch Architecture) b53 driver. The vulnerability was disclosed on July 10, 2025, and affects BCM63xx internal switches that do not support EEE (Energy Efficient Ethernet) functionality (NVD, Debian Tracker).

The vulnerability occurs in the Linux kernel's networking stack, specifically in the handling of EEE capabilities for BCM63xx internal switches. These switches provide multiple RGMII ports where external PHYs may be connected, but they do not support EEE functionality. The issue arises when an EEE-capable PHY is connected, causing the system to attempt enabling EEE for the MACs, which results in system hangs when accessing non-existent EEE registers (NVD).

When exploited, this vulnerability can cause system hangs on affected devices when attempting to access non-existent EEE registers. This primarily affects systems using BCM63xx internal switches with EEE-capable external PHYs connected (NVD).

The vulnerability has been fixed by implementing a check to verify if the switch actually supports EEE before attempting to configure it. Multiple Linux distributions have released patches, including Debian which has addressed this in various versions across bullseye, bookworm, trixie, and sid releases (Debian Tracker).