CVE-2025-38735: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38735 is a vulnerability discovered in the Linux kernel affecting the Google Virtual Ethernet (gve) driver. The vulnerability was disclosed on September 5, 2025, and involves a potential crash that can occur if an ethtool operation is invoked after the shutdown() function is called (NVD).

The vulnerability occurs because shutdown() is invoked during system shutdown to stop DMA operations without performing expensive deallocations. While it is discouraged to unregister the netdev in this path, the device may still be visible to userspace and kernel helpers. In the gve driver, shutdown() tears down most internal data structures. If an ethtool operation is dispatched after shutdown(), it will dereference freed or NULL pointers, leading to a kernel panic (NVD).

The vulnerability can lead to a kernel panic, particularly during forced shutdowns as observed on Google Cloud Platform (GCP) Virtual Machines. While graceful shutdown normally quiesces userspace before invoking the reboot syscall, forced shutdowns can still trigger this problematic path (NVD).

The vulnerability has been fixed by calling netif_device_detach() in shutdown(). This solution marks the device as detached so the ethtool ioctl handler will skip dispatching operations to the driver (NVD).