CVE-2025-38537: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38537 is a vulnerability discovered in the Linux kernel related to LED registration in generic PHY drivers. The issue was disclosed on August 16, 2025, affecting the network subsystem's PHY handling. The vulnerability specifically involves the improper handling of LED registration when a PHY has no driver and the genphy driver is used as a fallback (NVD, Debian Tracker).

The vulnerability occurs when a PHY without a specific driver uses the genphy driver during phy_attach/detach operations. If the PHY's ofnode contains an 'leds' subnode, LED registration and unregistration operations can lead to a deadlock condition. The deadlock sequence involves multiple kernel functions including rtnl_lock(), ndo_close(), phy_detach(), phy_remove(), phy_leds_unregister(), led_classdev_unregister(), led_trigger_set(), netdev_trigger_deactivate(), and unregister_netdevice_notifier(). The issue has been assigned a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and is categorized under CWE-833 (Red Hat).

The vulnerability can result in a deterministic deadlock condition in the Linux kernel's network subsystem. While there is also a race condition on the open/register side that can be detected by lockdep, the primary concern is the deterministic deadlock during PHY device removal. This can affect system stability and network device operations (NVD).

The issue has been resolved by preventing LED registration for generic PHYs, as they do not support LEDs anyway. Various Linux distributions have released or are in the process of releasing patches. Ubuntu has marked this as a medium priority issue, with fixes being implemented across different kernel versions. Red Hat has deferred fixes for RHEL 9 and 10, while RHEL 7 and 8 are not affected (Ubuntu, Red Hat).