CVE-2025-37865: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported Russell King reports that on the ZII dev rev B, deleting a bridge VLAN from a user port fails with -ENOENT: https://lore.kernel.org/netdev/Z_lQXNP0s5-IiJzd@shell.armlinux.org.uk/ This comes from mv88e6xxx_port_vlan_leave() -> mv88e6xxx_mst_put(), which tries to find an MST entry in &chip->msts associated with the SID, but fails and returns -ENOENT as such. But we know that this chip does not support MST at all, so that is not surprising. The question is why does the guard in mv88e6xxx_mst_put() not exit early: if (!sid) return 0; And the answer seems to be simple: the sid comes from vlan.sid which supposedly was previously populated by mv88e6xxx_vtu_get(). But some chip->info->ops->vtu_getnext() implementations do not populate vlan.sid, for example see mv88e6185_g1_vtu_getnext(). In that case, later in mv88e6xxx_port_vlan_leave() we are using a garbage sid which is just residual stack memory. Testing for sid == 0 covers all cases of a non-bridge VLAN or a bridge VLAN mapped to the default MSTI. For some chips, SID 0 is valid and installed by mv88e6xxx_stu_setup(). A chip which does not support the STU would implicitly only support mapping all VLANs to the default MSTI, so although SID 0 is not valid, it would be sufficient, if we were to zero-initialize the vlan structure, to fix the bug, due to the coincidence that a test for vlan.sid == 0 already exists and leads to the same (correct) behavior. Another option which would be sufficient would be to add a test for mv88e6xxx_has_stu() inside mv88e6xxx_mst_put(), symmetric to the one which already exists in mv88e6xxx_mst_get(). But that placement means the caller will have to dereference vlan.sid, which means it will access uninitialized memory, which is not nice even if it ignores it later. So we end up making both modifications, in order to not rely just on the sid == 0 coincidence, but also to avoid having uninitialized structure fields which might get temporarily accessed.
AI Analysis
Technical Summary
CVE-2025-37865 is a vulnerability identified in the Linux kernel's network subsystem, specifically within the Distributed Switch Architecture (DSA) driver for Marvell mv88e6xxx Ethernet switches. The issue arises when deleting VLANs on certain hardware chips that do not support Multiple Spanning Tree (MST). The root cause is improper handling of the VLAN Spanning Tree Identifier (SID) field, which in some cases remains uninitialized due to incomplete or inconsistent population by the chip-specific VLAN Table Unit (VTU) operations. This leads to the mv88e6xxx_mst_put() function attempting to access an invalid or garbage SID value, resulting in an erroneous -ENOENT (No such file or directory) error when deleting VLANs. The vulnerability is essentially a logic flaw and improper memory initialization in the VLAN deletion path, which can cause unexpected failures or potentially undefined behavior in network bridge VLAN management on affected devices. The fix involves zero-initializing the VLAN structure to ensure SID is never garbage and adding conditional checks to avoid dereferencing uninitialized memory, thereby preventing the erroneous error return and stabilizing VLAN deletion operations on unsupported MST hardware. This vulnerability does not appear to allow direct code execution or privilege escalation but may impact network functionality and stability on affected Linux systems using these specific Marvell switch chips.
Potential Impact
For European organizations, the impact of CVE-2025-37865 primarily concerns network reliability and operational stability rather than direct security breaches like data leaks or system compromise. Organizations relying on Linux-based network devices or embedded systems that incorporate Marvell mv88e6xxx Ethernet switches could experience VLAN management failures, leading to network segmentation issues or degraded network performance. This could disrupt internal communications, affect service availability, or complicate network administration, especially in environments with complex VLAN configurations or heavy use of bridging. Critical infrastructure sectors such as telecommunications, data centers, and industrial control systems that deploy Linux-based networking equipment with these chips may face operational risks. While no known exploits are reported in the wild, the vulnerability's presence in kernel code used widely across servers, IoT devices, and embedded systems means that unpatched systems could encounter stability issues, potentially increasing downtime or maintenance overhead.
Mitigation Recommendations
To mitigate CVE-2025-37865, European organizations should: 1) Identify and inventory Linux systems and embedded devices using Marvell mv88e6xxx Ethernet switches, focusing on those running affected kernel versions. 2) Apply the official Linux kernel patches that zero-initialize VLAN structures and add necessary checks in the mv88e6xxx driver code as soon as they become available. 3) For devices where kernel updates are not immediately feasible, consider workarounds such as avoiding VLAN deletion operations on affected ports or disabling MST features if not required. 4) Monitor network logs and error messages related to VLAN operations for signs of this issue. 5) Engage with hardware vendors and Linux distribution maintainers to ensure timely updates and support. 6) Implement robust network segmentation and redundancy to minimize impact from VLAN management failures. 7) Conduct thorough testing of network configurations post-patch to confirm resolution and stability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2025-37865: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported Russell King reports that on the ZII dev rev B, deleting a bridge VLAN from a user port fails with -ENOENT: https://lore.kernel.org/netdev/Z_lQXNP0s5-IiJzd@shell.armlinux.org.uk/ This comes from mv88e6xxx_port_vlan_leave() -> mv88e6xxx_mst_put(), which tries to find an MST entry in &chip->msts associated with the SID, but fails and returns -ENOENT as such. But we know that this chip does not support MST at all, so that is not surprising. The question is why does the guard in mv88e6xxx_mst_put() not exit early: if (!sid) return 0; And the answer seems to be simple: the sid comes from vlan.sid which supposedly was previously populated by mv88e6xxx_vtu_get(). But some chip->info->ops->vtu_getnext() implementations do not populate vlan.sid, for example see mv88e6185_g1_vtu_getnext(). In that case, later in mv88e6xxx_port_vlan_leave() we are using a garbage sid which is just residual stack memory. Testing for sid == 0 covers all cases of a non-bridge VLAN or a bridge VLAN mapped to the default MSTI. For some chips, SID 0 is valid and installed by mv88e6xxx_stu_setup(). A chip which does not support the STU would implicitly only support mapping all VLANs to the default MSTI, so although SID 0 is not valid, it would be sufficient, if we were to zero-initialize the vlan structure, to fix the bug, due to the coincidence that a test for vlan.sid == 0 already exists and leads to the same (correct) behavior. Another option which would be sufficient would be to add a test for mv88e6xxx_has_stu() inside mv88e6xxx_mst_put(), symmetric to the one which already exists in mv88e6xxx_mst_get(). But that placement means the caller will have to dereference vlan.sid, which means it will access uninitialized memory, which is not nice even if it ignores it later. So we end up making both modifications, in order to not rely just on the sid == 0 coincidence, but also to avoid having uninitialized structure fields which might get temporarily accessed.
AI-Powered Analysis
Technical Analysis
CVE-2025-37865 is a vulnerability identified in the Linux kernel's network subsystem, specifically within the Distributed Switch Architecture (DSA) driver for Marvell mv88e6xxx Ethernet switches. The issue arises when deleting VLANs on certain hardware chips that do not support Multiple Spanning Tree (MST). The root cause is improper handling of the VLAN Spanning Tree Identifier (SID) field, which in some cases remains uninitialized due to incomplete or inconsistent population by the chip-specific VLAN Table Unit (VTU) operations. This leads to the mv88e6xxx_mst_put() function attempting to access an invalid or garbage SID value, resulting in an erroneous -ENOENT (No such file or directory) error when deleting VLANs. The vulnerability is essentially a logic flaw and improper memory initialization in the VLAN deletion path, which can cause unexpected failures or potentially undefined behavior in network bridge VLAN management on affected devices. The fix involves zero-initializing the VLAN structure to ensure SID is never garbage and adding conditional checks to avoid dereferencing uninitialized memory, thereby preventing the erroneous error return and stabilizing VLAN deletion operations on unsupported MST hardware. This vulnerability does not appear to allow direct code execution or privilege escalation but may impact network functionality and stability on affected Linux systems using these specific Marvell switch chips.
Potential Impact
For European organizations, the impact of CVE-2025-37865 primarily concerns network reliability and operational stability rather than direct security breaches like data leaks or system compromise. Organizations relying on Linux-based network devices or embedded systems that incorporate Marvell mv88e6xxx Ethernet switches could experience VLAN management failures, leading to network segmentation issues or degraded network performance. This could disrupt internal communications, affect service availability, or complicate network administration, especially in environments with complex VLAN configurations or heavy use of bridging. Critical infrastructure sectors such as telecommunications, data centers, and industrial control systems that deploy Linux-based networking equipment with these chips may face operational risks. While no known exploits are reported in the wild, the vulnerability's presence in kernel code used widely across servers, IoT devices, and embedded systems means that unpatched systems could encounter stability issues, potentially increasing downtime or maintenance overhead.
Mitigation Recommendations
To mitigate CVE-2025-37865, European organizations should: 1) Identify and inventory Linux systems and embedded devices using Marvell mv88e6xxx Ethernet switches, focusing on those running affected kernel versions. 2) Apply the official Linux kernel patches that zero-initialize VLAN structures and add necessary checks in the mv88e6xxx driver code as soon as they become available. 3) For devices where kernel updates are not immediately feasible, consider workarounds such as avoiding VLAN deletion operations on affected ports or disabling MST features if not required. 4) Monitor network logs and error messages related to VLAN operations for signs of this issue. 5) Engage with hardware vendors and Linux distribution maintainers to ensure timely updates and support. 6) Implement robust network segmentation and redundancy to minimize impact from VLAN management failures. 7) Conduct thorough testing of network configurations post-patch to confirm resolution and stability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.958Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9818c4522896dcbd7d2c
Added to database: 5/21/2025, 9:08:40 AM
Last enriched: 7/4/2025, 12:40:57 AM
Last updated: 8/15/2025, 9:40:49 PM
Views: 15
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.