CVE-2025-38211 (GCVE-0-2025-38211)
Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-06-11 18:44
VLAI
Title
RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction
The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last
deref") simplified cm_id resource management by freeing cm_id once all
references to the cm_id were removed. The references are removed either
upon completion of iw_cm event handlers or when the application destroys
the cm_id. This commit introduced the use-after-free condition where
cm_id_private object could still be in use by event handler works during
the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a
use-after-free related to destroying CM IDs") addressed this use-after-
free by flushing all pending works at the cm_id destruction.
However, still another use-after-free possibility remained. It happens
with the work objects allocated for each cm_id_priv within
alloc_work_entries() during cm_id creation, and subsequently freed in
dealloc_work_entries() once all references to the cm_id are removed.
If the cm_id's last reference is decremented in the event handler work,
the work object for the work itself gets removed, and causes the use-
after-free BUG below:
BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250
Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091
CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
Workqueue: 0x0 (iw_cm_wq)
Call Trace:
<TASK>
dump_stack_lvl+0x6a/0x90
print_report+0x174/0x554
? __virt_addr_valid+0x208/0x430
? __pwq_activate_work+0x1ff/0x250
kasan_report+0xae/0x170
? __pwq_activate_work+0x1ff/0x250
__pwq_activate_work+0x1ff/0x250
pwq_dec_nr_in_flight+0x8c5/0xfb0
process_one_work+0xc11/0x1460
? __pfx_process_one_work+0x10/0x10
? assign_work+0x16c/0x240
worker_thread+0x5ef/0xfd0
? __pfx_worker_thread+0x10/0x10
kthread+0x3b0/0x770
? __pfx_kthread+0x10/0x10
? rcu_is_watching+0x11/0xb0
? _raw_spin_unlock_irq+0x24/0x50
? rcu_is_watching+0x11/0xb0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x30/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 147416:
kasan_save_stack+0x2c/0x50
kasan_save_track+0x10/0x30
__kasan_kmalloc+0xa6/0xb0
alloc_work_entries+0xa9/0x260 [iw_cm]
iw_cm_connect+0x23/0x4a0 [iw_cm]
rdma_connect_locked+0xbfd/0x1920 [rdma_cm]
nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]
cma_cm_event_handler+0xae/0x320 [rdma_cm]
cma_work_handler+0x106/0x1b0 [rdma_cm]
process_one_work+0x84f/0x1460
worker_thread+0x5ef/0xfd0
kthread+0x3b0/0x770
ret_from_fork+0x30/0x70
ret_from_fork_asm+0x1a/0x30
Freed by task 147091:
kasan_save_stack+0x2c/0x50
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x60
__kasan_slab_free+0x4b/0x70
kfree+0x13a/0x4b0
dealloc_work_entries+0x125/0x1f0 [iw_cm]
iwcm_deref_id+0x6f/0xa0 [iw_cm]
cm_work_handler+0x136/0x1ba0 [iw_cm]
process_one_work+0x84f/0x1460
worker_thread+0x5ef/0xfd0
kthread+0x3b0/0x770
ret_from_fork+0x30/0x70
ret_from_fork_asm+0x1a/0x30
Last potentially related work creation:
kasan_save_stack+0x2c/0x50
kasan_record_aux_stack+0xa3/0xb0
__queue_work+0x2ff/0x1390
queue_work_on+0x67/0xc0
cm_event_handler+0x46a/0x820 [iw_cm]
siw_cm_upcall+0x330/0x650 [siw]
siw_cm_work_handler+0x6b9/0x2b20 [siw]
process_one_work+0x84f/0x1460
worker_thread+0x5ef/0xfd0
kthread+0x3b0/0x770
ret_from_fork+0x30/0x70
ret_from_fork_asm+0x1a/0x30
This BUG is reproducible by repeating the blktests test case nvme/061
for the rdma transport and the siw driver.
To avoid the use-after-free of cm_id_private work objects, ensure that
the last reference to the cm_id is decremented not in the event handler
works, but in the cm_id destruction context. For that purpose, mo
---truncated---
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 013dcdf6f03bcedbaf1669e3db71c34a197715b2
(git)
Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5 (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 3b4a50d733acad6831f6bd9288a76a80f70650ac (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 78381dc8a6b61c9bb9987d37b4d671b99767c4a1 (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 23a707bbcbea468eedb398832eeb7e8e0ceafd21 (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 764c9f69beabef8bdc651a7746c59f7a340d104f (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < fd960b5ddf4faf00da43babdd3acda68842e1f6a (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 6883b680e703c6b2efddb4e7a8d891ce1803d06b (git) |
|
| Linux | Linux |
Affected:
4.8
Unaffected: 0 , < 4.8 (semver) Unaffected: 5.4.296 , ≤ 5.4.* (semver) Unaffected: 5.10.240 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:35:29.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-38211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:18.332991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:10.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/iwcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "013dcdf6f03bcedbaf1669e3db71c34a197715b2",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "3b4a50d733acad6831f6bd9288a76a80f70650ac",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "78381dc8a6b61c9bb9987d37b4d671b99767c4a1",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "23a707bbcbea468eedb398832eeb7e8e0ceafd21",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "764c9f69beabef8bdc651a7746c59f7a340d104f",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "fd960b5ddf4faf00da43babdd3acda68842e1f6a",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "6883b680e703c6b2efddb4e7a8d891ce1803d06b",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/iwcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\n\nThe commit 59c68ac31e15 (\"iw_cm: free cm_id resources on the last\nderef\") simplified cm_id resource management by freeing cm_id once all\nreferences to the cm_id were removed. The references are removed either\nupon completion of iw_cm event handlers or when the application destroys\nthe cm_id. This commit introduced the use-after-free condition where\ncm_id_private object could still be in use by event handler works during\nthe destruction of cm_id. The commit aee2424246f9 (\"RDMA/iwcm: Fix a\nuse-after-free related to destroying CM IDs\") addressed this use-after-\nfree by flushing all pending works at the cm_id destruction.\n\nHowever, still another use-after-free possibility remained. It happens\nwith the work objects allocated for each cm_id_priv within\nalloc_work_entries() during cm_id creation, and subsequently freed in\ndealloc_work_entries() once all references to the cm_id are removed.\nIf the cm_id\u0027s last reference is decremented in the event handler work,\nthe work object for the work itself gets removed, and causes the use-\nafter-free BUG below:\n\n BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\n Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\n\n CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n Workqueue: 0x0 (iw_cm_wq)\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6a/0x90\n print_report+0x174/0x554\n ? __virt_addr_valid+0x208/0x430\n ? __pwq_activate_work+0x1ff/0x250\n kasan_report+0xae/0x170\n ? __pwq_activate_work+0x1ff/0x250\n __pwq_activate_work+0x1ff/0x250\n pwq_dec_nr_in_flight+0x8c5/0xfb0\n process_one_work+0xc11/0x1460\n ? __pfx_process_one_work+0x10/0x10\n ? assign_work+0x16c/0x240\n worker_thread+0x5ef/0xfd0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x3b0/0x770\n ? __pfx_kthread+0x10/0x10\n ? rcu_is_watching+0x11/0xb0\n ? _raw_spin_unlock_irq+0x24/0x50\n ? rcu_is_watching+0x11/0xb0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\n Allocated by task 147416:\n kasan_save_stack+0x2c/0x50\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0xa6/0xb0\n alloc_work_entries+0xa9/0x260 [iw_cm]\n iw_cm_connect+0x23/0x4a0 [iw_cm]\n rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\n nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\n cma_cm_event_handler+0xae/0x320 [rdma_cm]\n cma_work_handler+0x106/0x1b0 [rdma_cm]\n process_one_work+0x84f/0x1460\n worker_thread+0x5ef/0xfd0\n kthread+0x3b0/0x770\n ret_from_fork+0x30/0x70\n ret_from_fork_asm+0x1a/0x30\n\n Freed by task 147091:\n kasan_save_stack+0x2c/0x50\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x60\n __kasan_slab_free+0x4b/0x70\n kfree+0x13a/0x4b0\n dealloc_work_entries+0x125/0x1f0 [iw_cm]\n iwcm_deref_id+0x6f/0xa0 [iw_cm]\n cm_work_handler+0x136/0x1ba0 [iw_cm]\n process_one_work+0x84f/0x1460\n worker_thread+0x5ef/0xfd0\n kthread+0x3b0/0x770\n ret_from_fork+0x30/0x70\n ret_from_fork_asm+0x1a/0x30\n\n Last potentially related work creation:\n kasan_save_stack+0x2c/0x50\n kasan_record_aux_stack+0xa3/0xb0\n __queue_work+0x2ff/0x1390\n queue_work_on+0x67/0xc0\n cm_event_handler+0x46a/0x820 [iw_cm]\n siw_cm_upcall+0x330/0x650 [siw]\n siw_cm_work_handler+0x6b9/0x2b20 [siw]\n process_one_work+0x84f/0x1460\n worker_thread+0x5ef/0xfd0\n kthread+0x3b0/0x770\n ret_from_fork+0x30/0x70\n ret_from_fork_asm+0x1a/0x30\n\nThis BUG is reproducible by repeating the blktests test case nvme/061\nfor the rdma transport and the siw driver.\n\nTo avoid the use-after-free of cm_id_private work objects, ensure that\nthe last reference to the cm_id is decremented not in the event handler\nworks, but in the cm_id destruction context. For that purpose, mo\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:23:24.277Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2"
},
{
"url": "https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5"
},
{
"url": "https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac"
},
{
"url": "https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1"
},
{
"url": "https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21"
},
{
"url": "https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f"
},
{
"url": "https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a"
},
{
"url": "https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b"
}
],
"title": "RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38211",
"datePublished": "2025-07-04T13:37:30.307Z",
"dateReserved": "2025-04-16T04:51:23.994Z",
"dateUpdated": "2026-06-11T18:44:10.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-38211",
"date": "2026-06-29",
"epss": "0.00154",
"percentile": "0.04912"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-38211\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-04T14:15:29.337\",\"lastModified\":\"2026-06-17T09:16:23.770\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\\n\\nThe commit 59c68ac31e15 (\\\"iw_cm: free cm_id resources on the last\\nderef\\\") simplified cm_id resource management by freeing cm_id once all\\nreferences to the cm_id were removed. The references are removed either\\nupon completion of iw_cm event handlers or when the application destroys\\nthe cm_id. This commit introduced the use-after-free condition where\\ncm_id_private object could still be in use by event handler works during\\nthe destruction of cm_id. The commit aee2424246f9 (\\\"RDMA/iwcm: Fix a\\nuse-after-free related to destroying CM IDs\\\") addressed this use-after-\\nfree by flushing all pending works at the cm_id destruction.\\n\\nHowever, still another use-after-free possibility remained. It happens\\nwith the work objects allocated for each cm_id_priv within\\nalloc_work_entries() during cm_id creation, and subsequently freed in\\ndealloc_work_entries() once all references to the cm_id are removed.\\nIf the cm_id\u0027s last reference is decremented in the event handler work,\\nthe work object for the work itself gets removed, and causes the use-\\nafter-free BUG below:\\n\\n BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\\n Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\\n\\n CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\\n Workqueue: 0x0 (iw_cm_wq)\\n Call Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0x6a/0x90\\n print_report+0x174/0x554\\n ? __virt_addr_valid+0x208/0x430\\n ? __pwq_activate_work+0x1ff/0x250\\n kasan_report+0xae/0x170\\n ? __pwq_activate_work+0x1ff/0x250\\n __pwq_activate_work+0x1ff/0x250\\n pwq_dec_nr_in_flight+0x8c5/0xfb0\\n process_one_work+0xc11/0x1460\\n ? __pfx_process_one_work+0x10/0x10\\n ? assign_work+0x16c/0x240\\n worker_thread+0x5ef/0xfd0\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0x3b0/0x770\\n ? __pfx_kthread+0x10/0x10\\n ? rcu_is_watching+0x11/0xb0\\n ? _raw_spin_unlock_irq+0x24/0x50\\n ? rcu_is_watching+0x11/0xb0\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x30/0x70\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1a/0x30\\n \u003c/TASK\u003e\\n\\n Allocated by task 147416:\\n kasan_save_stack+0x2c/0x50\\n kasan_save_track+0x10/0x30\\n __kasan_kmalloc+0xa6/0xb0\\n alloc_work_entries+0xa9/0x260 [iw_cm]\\n iw_cm_connect+0x23/0x4a0 [iw_cm]\\n rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\\n nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\\n cma_cm_event_handler+0xae/0x320 [rdma_cm]\\n cma_work_handler+0x106/0x1b0 [rdma_cm]\\n process_one_work+0x84f/0x1460\\n worker_thread+0x5ef/0xfd0\\n kthread+0x3b0/0x770\\n ret_from_fork+0x30/0x70\\n ret_from_fork_asm+0x1a/0x30\\n\\n Freed by task 147091:\\n kasan_save_stack+0x2c/0x50\\n kasan_save_track+0x10/0x30\\n kasan_save_free_info+0x37/0x60\\n __kasan_slab_free+0x4b/0x70\\n kfree+0x13a/0x4b0\\n dealloc_work_entries+0x125/0x1f0 [iw_cm]\\n iwcm_deref_id+0x6f/0xa0 [iw_cm]\\n cm_work_handler+0x136/0x1ba0 [iw_cm]\\n process_one_work+0x84f/0x1460\\n worker_thread+0x5ef/0xfd0\\n kthread+0x3b0/0x770\\n ret_from_fork+0x30/0x70\\n ret_from_fork_asm+0x1a/0x30\\n\\n Last potentially related work creation:\\n kasan_save_stack+0x2c/0x50\\n kasan_record_aux_stack+0xa3/0xb0\\n __queue_work+0x2ff/0x1390\\n queue_work_on+0x67/0xc0\\n cm_event_handler+0x46a/0x820 [iw_cm]\\n siw_cm_upcall+0x330/0x650 [siw]\\n siw_cm_work_handler+0x6b9/0x2b20 [siw]\\n process_one_work+0x84f/0x1460\\n worker_thread+0x5ef/0xfd0\\n kthread+0x3b0/0x770\\n ret_from_fork+0x30/0x70\\n ret_from_fork_asm+0x1a/0x30\\n\\nThis BUG is reproducible by repeating the blktests test case nvme/061\\nfor the rdma transport and the siw driver.\\n\\nTo avoid the use-after-free of cm_id_private work objects, ensure that\\nthe last reference to the cm_id is decremented not in the event handler\\nworks, but in the cm_id destruction context. For that purpose, mo\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/iwcm: Correcci\u00f3n del use-after-free de objetos de trabajo despu\u00e9s de la destrucci\u00f3n de cm_id El commit 59c68ac31e15 (\\\"iw_cm: liberar recursos de cm_id en la \u00faltima desreferencia\\\") simplific\u00f3 la gesti\u00f3n de recursos de cm_id al liberar cm_id una vez que se eliminaron todas las referencias a cm_id. Las referencias se eliminan al completarse los controladores de eventos iw_cm o cuando la aplicaci\u00f3n destruye cm_id. Este commit introdujo la condici\u00f3n de use-after-free donde el objeto cm_id_private a\u00fan podr\u00eda estar en uso por los controladores de eventos durante la destrucci\u00f3n de cm_id. El commit aee2424246f9 (\\\"RDMA/iwcm: Correcci\u00f3n de un use-after-free relacionado con la destrucci\u00f3n de los ID de CM\\\") abord\u00f3 este use-after-free al vaciar todos los trabajos pendientes en la destrucci\u00f3n de cm_id. Sin embargo, a\u00fan quedaba otra posibilidad de use-after-free. Esto sucede con los objetos de trabajo asignados para cada cm_id_priv dentro de alloc_work_entries() durante la creaci\u00f3n de cm_id, y posteriormente se liberan en dealloc_work_entries() una vez que se eliminan todas las referencias a cm_id. Si la \u00faltima referencia de cm_id se decrementa en el manejador de eventos work, el objeto de trabajo para el trabajo en s\u00ed se elimina y causa el siguiente ERROR de use-after-free: ERROR: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250 Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091 CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Workqueue: 0x0 (iw_cm_wq) Call Trace: dump_stack_lvl+0x6a/0x90 print_report+0x174/0x554 ? __virt_addr_valid+0x208/0x430 ? __pwq_activate_work+0x1ff/0x250 kasan_report+0xae/0x170 ? __pwq_activate_work+0x1ff/0x250 __pwq_activate_work+0x1ff/0x250 pwq_dec_nr_in_flight+0x8c5/0xfb0 process_one_work+0xc11/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5ef/0xfd0 ? __pfx_worker_thread+0x10/0x10 kthread+0x3b0/0x770 ? __pfx_kthread+0x10/0x10 ? rcu_is_watching+0x11/0xb0 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Allocated by task 147416: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 alloc_work_entries+0xa9/0x260 [iw_cm] iw_cm_connect+0x23/0x4a0 [iw_cm] rdma_connect_locked+0xbfd/0x1920 [rdma_cm] nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma] cma_cm_event_handler+0xae/0x320 [rdma_cm] cma_work_handler+0x106/0x1b0 [rdma_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 147091: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kfree+0x13a/0x4b0 dealloc_work_entries+0x125/0x1f0 [iw_cm] iwcm_deref_id+0x6f/0xa0 [iw_cm] cm_work_handler+0x136/0x1ba0 [iw_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x2c/0x50 kasan_record_aux_stack+0xa3/0xb0 __queue_work+0x2ff/0x1390 queue_work_on+0x67/0xc0 cm_event_handler+0x46a/0x820 [iw_cm] siw_cm_upcall+0x330/0x650 [siw] siw_cm_work_handler+0x6b9/0x2b20 [siw] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Este error se puede reproducir repitiendo el caso de prueba blktests nvme/061 para el transporte rdma y el controlador siw. Para evitar el uso posterior a la liberaci\u00f3n de objetos de trabajo cm_id_private, aseg\u00farese de que la \u00faltima referencia a cm_id se decremente no en los trabajos del controlador de eventos, sino en el contexto de destrucci\u00f3n de cm_id. Para ello, mo ---truncated---\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"drivers/infiniband/core/iwcm.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\",\"lessThan\":\"013dcdf6f03bcedbaf1669e3db71c34a197715b2\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\",\"lessThan\":\"bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\",\"lessThan\":\"3b4a50d733acad6831f6bd9288a76a80f70650ac\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\",\"lessThan\":\"78381dc8a6b61c9bb9987d37b4d671b99767c4a1\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\",\"lessThan\":\"23a707bbcbea468eedb398832eeb7e8e0ceafd21\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\",\"lessThan\":\"764c9f69beabef8bdc651a7746c59f7a340d104f\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\",\"lessThan\":\"fd960b5ddf4faf00da43babdd3acda68842e1f6a\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\",\"lessThan\":\"6883b680e703c6b2efddb4e7a8d891ce1803d06b\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"drivers/infiniband/core/iwcm.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"4.8\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"4.8\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.4.296\",\"lessThanOrEqual\":\"5.4.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.10.240\",\"lessThanOrEqual\":\"5.10.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.15.186\",\"lessThanOrEqual\":\"5.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.142\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.95\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.35\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.15.4\",\"lessThanOrEqual\":\"6.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.16\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-10T20:41:18.332991Z\",\"id\":\"CVE-2025-38211\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.8\",\"versionEndExcluding\":\"5.4.296\",\"matchCriteriaId\":\"95A75954-6D0A-452F-BBBC-39406EB09050\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.240\",\"matchCriteriaId\":\"0E73A49A-F9B2-470F-91B2-6FAB6239BDB6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.186\",\"matchCriteriaId\":\"D96F2C0D-0D4A-4658-AD34-D8A626EA422D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.142\",\"matchCriteriaId\":\"459B4E94-FE0E-434D-B782-95E3A5FFC6B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.95\",\"matchCriteriaId\":\"C5E01853-7048-4D78-9479-9AEE41AC8456\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.35\",\"matchCriteriaId\":\"E569FD34-0076-4428-BE17-EECCF867611C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.15.4\",\"matchCriteriaId\":\"DFD174C5-1AA2-4671-BDDC-1A9FCC753655\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T17:35:29.579Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-38211\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-10T20:41:18.332991Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-11T17:38:13.291Z\"}}], \"cna\": {\"title\": \"RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\", \"lessThan\": \"013dcdf6f03bcedbaf1669e3db71c34a197715b2\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\", \"lessThan\": \"bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\", \"lessThan\": \"3b4a50d733acad6831f6bd9288a76a80f70650ac\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\", \"lessThan\": \"78381dc8a6b61c9bb9987d37b4d671b99767c4a1\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\", \"lessThan\": \"23a707bbcbea468eedb398832eeb7e8e0ceafd21\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\", \"lessThan\": \"764c9f69beabef8bdc651a7746c59f7a340d104f\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\", \"lessThan\": \"fd960b5ddf4faf00da43babdd3acda68842e1f6a\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4\", \"lessThan\": \"6883b680e703c6b2efddb4e7a8d891ce1803d06b\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/infiniband/core/iwcm.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.8\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.8\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.4.296\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.240\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.186\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.142\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.95\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12.35\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.15.4\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.16\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/infiniband/core/iwcm.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2\"}, {\"url\": \"https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5\"}, {\"url\": \"https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac\"}, {\"url\": \"https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1\"}, {\"url\": \"https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21\"}, {\"url\": \"https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f\"}, {\"url\": \"https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a\"}, {\"url\": \"https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\\n\\nThe commit 59c68ac31e15 (\\\"iw_cm: free cm_id resources on the last\\nderef\\\") simplified cm_id resource management by freeing cm_id once all\\nreferences to the cm_id were removed. The references are removed either\\nupon completion of iw_cm event handlers or when the application destroys\\nthe cm_id. This commit introduced the use-after-free condition where\\ncm_id_private object could still be in use by event handler works during\\nthe destruction of cm_id. The commit aee2424246f9 (\\\"RDMA/iwcm: Fix a\\nuse-after-free related to destroying CM IDs\\\") addressed this use-after-\\nfree by flushing all pending works at the cm_id destruction.\\n\\nHowever, still another use-after-free possibility remained. It happens\\nwith the work objects allocated for each cm_id_priv within\\nalloc_work_entries() during cm_id creation, and subsequently freed in\\ndealloc_work_entries() once all references to the cm_id are removed.\\nIf the cm_id\u0027s last reference is decremented in the event handler work,\\nthe work object for the work itself gets removed, and causes the use-\\nafter-free BUG below:\\n\\n BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\\n Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\\n\\n CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\\n Workqueue: 0x0 (iw_cm_wq)\\n Call Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0x6a/0x90\\n print_report+0x174/0x554\\n ? __virt_addr_valid+0x208/0x430\\n ? __pwq_activate_work+0x1ff/0x250\\n kasan_report+0xae/0x170\\n ? __pwq_activate_work+0x1ff/0x250\\n __pwq_activate_work+0x1ff/0x250\\n pwq_dec_nr_in_flight+0x8c5/0xfb0\\n process_one_work+0xc11/0x1460\\n ? __pfx_process_one_work+0x10/0x10\\n ? assign_work+0x16c/0x240\\n worker_thread+0x5ef/0xfd0\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0x3b0/0x770\\n ? __pfx_kthread+0x10/0x10\\n ? rcu_is_watching+0x11/0xb0\\n ? _raw_spin_unlock_irq+0x24/0x50\\n ? rcu_is_watching+0x11/0xb0\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x30/0x70\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1a/0x30\\n \u003c/TASK\u003e\\n\\n Allocated by task 147416:\\n kasan_save_stack+0x2c/0x50\\n kasan_save_track+0x10/0x30\\n __kasan_kmalloc+0xa6/0xb0\\n alloc_work_entries+0xa9/0x260 [iw_cm]\\n iw_cm_connect+0x23/0x4a0 [iw_cm]\\n rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\\n nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\\n cma_cm_event_handler+0xae/0x320 [rdma_cm]\\n cma_work_handler+0x106/0x1b0 [rdma_cm]\\n process_one_work+0x84f/0x1460\\n worker_thread+0x5ef/0xfd0\\n kthread+0x3b0/0x770\\n ret_from_fork+0x30/0x70\\n ret_from_fork_asm+0x1a/0x30\\n\\n Freed by task 147091:\\n kasan_save_stack+0x2c/0x50\\n kasan_save_track+0x10/0x30\\n kasan_save_free_info+0x37/0x60\\n __kasan_slab_free+0x4b/0x70\\n kfree+0x13a/0x4b0\\n dealloc_work_entries+0x125/0x1f0 [iw_cm]\\n iwcm_deref_id+0x6f/0xa0 [iw_cm]\\n cm_work_handler+0x136/0x1ba0 [iw_cm]\\n process_one_work+0x84f/0x1460\\n worker_thread+0x5ef/0xfd0\\n kthread+0x3b0/0x770\\n ret_from_fork+0x30/0x70\\n ret_from_fork_asm+0x1a/0x30\\n\\n Last potentially related work creation:\\n kasan_save_stack+0x2c/0x50\\n kasan_record_aux_stack+0xa3/0xb0\\n __queue_work+0x2ff/0x1390\\n queue_work_on+0x67/0xc0\\n cm_event_handler+0x46a/0x820 [iw_cm]\\n siw_cm_upcall+0x330/0x650 [siw]\\n siw_cm_work_handler+0x6b9/0x2b20 [siw]\\n process_one_work+0x84f/0x1460\\n worker_thread+0x5ef/0xfd0\\n kthread+0x3b0/0x770\\n ret_from_fork+0x30/0x70\\n ret_from_fork_asm+0x1a/0x30\\n\\nThis BUG is reproducible by repeating the blktests test case nvme/061\\nfor the rdma transport and the siw driver.\\n\\nTo avoid the use-after-free of cm_id_private work objects, ensure that\\nthe last reference to the cm_id is decremented not in the event handler\\nworks, but in the cm_id destruction context. For that purpose, mo\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.296\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.240\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.186\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.142\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.95\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.35\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.15.4\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.16\", \"versionStartIncluding\": \"4.8\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T21:23:24.277Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-38211\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-11T18:44:10.931Z\", \"dateReserved\": \"2025-04-16T04:51:23.994Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-07-04T13:37:30.307Z\", \"assignerShortName\": \"Linux\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…