CVE-2025-38735 Cert Portal CVE debrief

Who should care

Linux and OT/edge operators who rely on systems covered by the advisory, especially environments that can experience forced shutdowns or post-shutdown management activity. It also matters for administrators of systems using the affected gve network driver path described in the source advisory.

Technical summary

The vulnerability is a race/teardown flaw in the gve shutdown path. shutdown() stops DMA and dismantles most internal state, but the netdev can still be visible. If an ethtool operation is invoked afterward, the driver can touch freed or NULL data and panic the kernel. The fix prevents driver dispatch after shutdown by detaching the device with netif_device_detach().

Defensive priority

Medium

Recommended defensive actions

• Apply the vendor-provided update to version 5.0 or later where applicable.
• Verify whether any deployed systems actually match the advisory's affected product mapping before scheduling remediation.
• Review shutdown and maintenance procedures for systems that may still accept management operations during forced power-off or reboot events.
• Prioritize patching or maintenance on systems where kernel panics during shutdown would cause service interruption or recovery risk.
• Monitor for unexpected crashes or failed shutdowns on affected hosts until remediation is complete.

Evidence notes

The supplied CISA CSAF source states that an ethtool operation after shutdown() can dereference freed or NULL pointers and cause a kernel panic, and that the fix is to call netif_device_detach() in shutdown(). The same source also includes a Siemens ProductCERT remediation reference to update to V5.0 or later. However, the advisory metadata maps the CVE to Siemens SIMATIC CN 4100 vers:intdot/<5.0 while the vulnerability description itself refers to the Linux kernel gve driver, so the product mapping should be treated as low-confidence and verified before actioning.

Official resources