LiveActive security incident?Get immediate response
CVE Record

CVE-2025-38551: virtio-net: fix recursived rtnl_lock() during probe()

In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix recursived rtnl_lock() during probe() The deadlock appears in a stack trace like: virtnet_probe() rtnl_lock() virtio_config_changed_work() netdev_notify_peers() rtnl_lock() It happens if the VMM sends a VIRTIO_NET_S_ANNOUNCE request while the virtio-net driver is still probing. The config_work in probe() will get scheduled until virtnet_open() enables the config change notification via virtio_config_driver_enable().

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-38551 is a Linux kernel virtio-net deadlock during virtual network device startup. A virtual machine monitor can trigger a timing condition while the driver probes, potentially hanging network initialization. The public record does not provide CVSS, confirmed attacks, or broad product advisories.

Executive priority

Handle through normal kernel patch management, with higher priority for virtualized production fleets using virtio-net. The issue appears availability-focused and source evidence does not show active exploitation, but kernel deadlocks during VM networking can still disrupt service startup or recovery.

Technical view

The virtio-net probe path can take rtnl_lock(), then process config work that calls netdev_notify_peers(), which attempts rtnl_lock() again. The cited fix delays config change handling until virtnet_open() enables notifications, avoiding recursive rtnl_lock() during probe.

Likely exposure

Exposure is most relevant to Linux virtual machines using virtio-net on kernel versions or branches identified as affected in the CVE record, including 6.12, 6.12.40, 6.15.8, and 6.16 entries. Non-virtualized systems or systems not using virtio-net are less likely exposed.

Exploitation context

No KEV listing or cited source reports active exploitation. The described trigger requires the VMM to send a VIRTIO_NET_S_ANNOUNCE request during driver probing, so the practical concern is availability impact in virtualized environments with a malicious, compromised, or faulty VMM.

Researcher notes

The evidence supports a virtio-net probe-time locking bug and stable-kernel fixes. Public data is incomplete on CVSS, real-world exploitation, and exact downstream distro status. Validate exposure by kernel branch, backport status, and virtio-net usage rather than assuming all Linux systems are affected.

Mitigation direction

  • Apply Linux kernel updates containing the referenced stable virtio-net fixes.
  • Check distribution advisories for backported fixes covering CVE-2025-38551.
  • Prioritize VM fleets that use virtio-net and affected kernel branches.
  • Treat untrusted or shared virtualization control planes as higher priority.

Validation and detection

  • Inventory Linux kernel versions across virtualized systems.
  • Identify guests using the virtio_net driver.
  • Confirm fixed commits or distro backports are present in deployed kernels.
  • Review boot or network-device probe logs for virtio-net hangs.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-38551 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
4Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxdf28de7b00502761eba62490f413c65c9b175ed9, df28de7b00502761eba62490f413c65c9b175ed9, df28de7b00502761eba62490f413c65c9b175ed9, cb06b26bb2e6d2c6a32f65f7bb1b7dcbe033d675, 6.11.2unaffected
LinuxLinux6.12, 0, 6.12.40, 6.15.8, 6.16affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.