Vulnerability-Lookup

alsa-2025:15008

Vulnerability from osv_almalinux

Published

2025-09-02 00:00

Modified

2025-09-09 09:28

Summary

Moderate: kernel security update

Details

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

kernel: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (CVE-2025-38211)
kernel: scsi: lpfc: Use memcpy() for BIOS version (CVE-2025-38332)
kernel: tipc: Fix use-after-free in tipc_conn_close() (CVE-2025-38464)
kernel: net/sched: sch_qfq: Fix race condition on qfq_aggregate (CVE-2025-38477)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2025:15008	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-38211	REPORT
	https://access.redhat.com/security/cve/CVE-2025-38332	REPORT
	https://access.redhat.com/security/cve/CVE-2025-38464	REPORT
	https://access.redhat.com/security/cve/CVE-2025-38477	REPORT
	https://bugzilla.redhat.com/2376406	REPORT
	https://bugzilla.redhat.com/2379246	REPORT
	https://bugzilla.redhat.com/2383509	REPORT
	https://bugzilla.redhat.com/2383922	REPORT
	https://errata.almalinux.org/8/ALSA-2025-15008.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "bpftool"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-abi-stablelists"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-cross-headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-doc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools-libs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "perf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3-perf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.72.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The kernel packages contain the Linux kernel, the core of any Linux operating system.  \n\nSecurity Fix(es):  \n\n  * kernel: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (CVE-2025-38211)\n  * kernel: scsi: lpfc: Use memcpy() for BIOS version (CVE-2025-38332)\n  * kernel: tipc: Fix use-after-free in tipc_conn_close() (CVE-2025-38464)\n  * kernel: net/sched: sch_qfq: Fix race condition on qfq_aggregate (CVE-2025-38477)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:15008",
  "modified": "2025-09-09T09:28:32Z",
  "published": "2025-09-02T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:15008"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-38211"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-38332"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-38464"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-38477"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2376406"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2379246"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2383509"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2383922"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2025-15008.html"
    }
  ],
  "related": [
    "CVE-2025-38211",
    "CVE-2025-38332",
    "CVE-2025-38464",
    "CVE-2025-38477"
  ],
  "summary": "Moderate: kernel security update"
}

CVE-2025-38464 (GCVE-0-2025-38464)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2025-11-03 17:38

Title

tipc: Fix use-after-free in tipc_conn_close().

Summary

In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref. Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive. Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop(). [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 23: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 23: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888099305a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/03dcdd2558e1e55bf…
	https://git.kernel.org/stable/c/15a6f4971e2f157d5…
	https://git.kernel.org/stable/c/dab8ded2e5ff41012…
	https://git.kernel.org/stable/c/1dbf7cd2454a28b1d…
	https://git.kernel.org/stable/c/be4b8392da7978294…
	https://git.kernel.org/stable/c/50aa2d121bc2cfe2d…
	https://git.kernel.org/stable/c/3b89e17b2fd640126…
	https://git.kernel.org/stable/c/667eeab4999e981c9…

Impacted products

Vendor

Product

Version

Linux

Affected: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f , < 03dcdd2558e1e55bf843822fe4363dcb48743f2b (git)
Affected: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f , < 15a6f4971e2f157d57e09ea748d1fbc714277aa4 (git)
Affected: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f , < dab8ded2e5ff41012a6ff400b44dbe76ccf3592a (git)
Affected: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f , < 1dbf7cd2454a28b1da700085b99346b5445aeabb (git)
Affected: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f , < be4b8392da7978294f2f368799d29dd509fb6c4d (git)
Affected: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f , < 50aa2d121bc2cfe2d825f8a331ea75dfaaab6a50 (git)
Affected: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f , < 3b89e17b2fd64012682bed158d9eb3d2e96dec42 (git)
Affected: c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f , < 667eeab4999e981c96b447a4df5f20bdf5c26f13 (git)

Linux

Affected: 3.11
Unaffected: 0 , < 3.11 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:25.539Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tipc/topsrv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "03dcdd2558e1e55bf843822fe4363dcb48743f2b",
              "status": "affected",
              "version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
              "versionType": "git"
            },
            {
              "lessThan": "15a6f4971e2f157d57e09ea748d1fbc714277aa4",
              "status": "affected",
              "version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
              "versionType": "git"
            },
            {
              "lessThan": "dab8ded2e5ff41012a6ff400b44dbe76ccf3592a",
              "status": "affected",
              "version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
              "versionType": "git"
            },
            {
              "lessThan": "1dbf7cd2454a28b1da700085b99346b5445aeabb",
              "status": "affected",
              "version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
              "versionType": "git"
            },
            {
              "lessThan": "be4b8392da7978294f2f368799d29dd509fb6c4d",
              "status": "affected",
              "version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
              "versionType": "git"
            },
            {
              "lessThan": "50aa2d121bc2cfe2d825f8a331ea75dfaaab6a50",
              "status": "affected",
              "version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
              "versionType": "git"
            },
            {
              "lessThan": "3b89e17b2fd64012682bed158d9eb3d2e96dec42",
              "status": "affected",
              "version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
              "versionType": "git"
            },
            {
              "lessThan": "667eeab4999e981c96b447a4df5f20bdf5c26f13",
              "status": "affected",
              "version": "c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tipc/topsrv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.11"
            },
            {
              "lessThan": "3.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free in tipc_conn_close().\n\nsyzbot reported a null-ptr-deref in tipc_conn_close() during netns\ndismantle. [0]\n\ntipc_topsrv_stop() iterates tipc_net(net)-\u003etopsrv-\u003econn_idr and calls\ntipc_conn_close() for each tipc_conn.\n\nThe problem is that tipc_conn_close() is called after releasing the\nIDR lock.\n\nAt the same time, there might be tipc_conn_recv_work() running and it\ncould call tipc_conn_close() for the same tipc_conn and release its\nlast -\u003ekref.\n\nOnce we release the IDR lock in tipc_topsrv_stop(), there is no\nguarantee that the tipc_conn is alive.\n\nLet\u0027s hold the ref before releasing the lock and put the ref after\ntipc_conn_close() in tipc_topsrv_stop().\n\n[0]:\nBUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165\nRead of size 8 at addr ffff888099305a08 by task kworker/u4:3/435\n\nCPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: netns cleanup_net\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x1fc/0x2ef lib/dump_stack.c:118\n print_address_description.cold+0x54/0x219 mm/kasan/report.c:256\n kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354\n kasan_report mm/kasan/report.c:412 [inline]\n __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433\n tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165\n tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]\n tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722\n ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153\n cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553\n process_one_work+0x864/0x1570 kernel/workqueue.c:2153\n worker_thread+0x64c/0x1130 kernel/workqueue.c:2296\n kthread+0x33f/0x460 kernel/kthread.c:259\n ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\n\nAllocated by task 23:\n kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625\n kmalloc include/linux/slab.h:515 [inline]\n kzalloc include/linux/slab.h:709 [inline]\n tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192\n tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470\n process_one_work+0x864/0x1570 kernel/workqueue.c:2153\n worker_thread+0x64c/0x1130 kernel/workqueue.c:2296\n kthread+0x33f/0x460 kernel/kthread.c:259\n ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\n\nFreed by task 23:\n __cache_free mm/slab.c:3503 [inline]\n kfree+0xcc/0x210 mm/slab.c:3822\n tipc_conn_kref_release net/tipc/topsrv.c:150 [inline]\n kref_put include/linux/kref.h:70 [inline]\n conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155\n process_one_work+0x864/0x1570 kernel/workqueue.c:2153\n worker_thread+0x64c/0x1130 kernel/workqueue.c:2296\n kthread+0x33f/0x460 kernel/kthread.c:259\n ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\n\nThe buggy address belongs to the object at ffff888099305a00\n which belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 8 bytes inside of\n 512-byte region [ffff888099305a00, ffff888099305c00)\nThe buggy address belongs to the page:\npage:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0\nflags: 0xfff00000000100(slab)\nraw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940\nraw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n\u003effff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                      ^\n ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:23:12.269Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/03dcdd2558e1e55bf843822fe4363dcb48743f2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/15a6f4971e2f157d57e09ea748d1fbc714277aa4"
        },
        {
          "url": "https://git.kernel.org/stable/c/dab8ded2e5ff41012a6ff400b44dbe76ccf3592a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1dbf7cd2454a28b1da700085b99346b5445aeabb"
        },
        {
          "url": "https://git.kernel.org/stable/c/be4b8392da7978294f2f368799d29dd509fb6c4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/50aa2d121bc2cfe2d825f8a331ea75dfaaab6a50"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b89e17b2fd64012682bed158d9eb3d2e96dec42"
        },
        {
          "url": "https://git.kernel.org/stable/c/667eeab4999e981c96b447a4df5f20bdf5c26f13"
        }
      ],
      "title": "tipc: Fix use-after-free in tipc_conn_close().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38464",
    "datePublished": "2025-07-25T15:27:46.708Z",
    "dateReserved": "2025-04-16T04:51:24.020Z",
    "dateUpdated": "2025-11-03T17:38:25.539Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38477 (GCVE-0-2025-38477)

Vulnerability from cvelistv5 – Published: 2025-07-28 11:21 – Updated: 2025-11-03 17:38

Title

net/sched: sch_qfq: Fix race condition on qfq_aggregate

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/aa7a22c4d678bf649…
	https://git.kernel.org/stable/c/d841aa5518508ab19…
	https://git.kernel.org/stable/c/c6df794000147a3a0…
	https://git.kernel.org/stable/c/466e10194ab81caa2…
	https://git.kernel.org/stable/c/fbe48f06e64134dfe…
	https://git.kernel.org/stable/c/a6d735100f602c830…
	https://git.kernel.org/stable/c/c000a3a330d97f6c0…
	https://git.kernel.org/stable/c/5e28d5a3f774f1188…

Impacted products

Vendor

Product

Version

Linux

Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < aa7a22c4d678bf649fd3a1d27debec583563414d (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < d841aa5518508ab195b6781ad0d73ee378d713dd (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < c6df794000147a3a02f79984aada4ce83f8d0a1e (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 466e10194ab81caa2ee6a332d33ba16bcceeeba6 (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < fbe48f06e64134dfeafa89ad23387f66ebca3527 (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < a6d735100f602c830c16d69fb6d780eebd8c9ae1 (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < c000a3a330d97f6c073ace5aa5faf94b9adb4b79 (git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 5e28d5a3f774f118896aec17a3a20a9c5c9dfc64 (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:44.755Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "aa7a22c4d678bf649fd3a1d27debec583563414d",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "d841aa5518508ab195b6781ad0d73ee378d713dd",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "c6df794000147a3a02f79984aada4ce83f8d0a1e",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "466e10194ab81caa2ee6a332d33ba16bcceeeba6",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "fbe48f06e64134dfeafa89ad23387f66ebca3527",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "a6d735100f602c830c16d69fb6d780eebd8c9ae1",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "c000a3a330d97f6c073ace5aa5faf94b9adb4b79",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "5e28d5a3f774f118896aec17a3a20a9c5c9dfc64",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix race condition on qfq_aggregate\n\nA race condition can occur when \u0027agg\u0027 is modified in qfq_change_agg\n(called during qfq_enqueue) while other threads access it\nconcurrently. For example, qfq_dump_class may trigger a NULL\ndereference, and qfq_delete_class may cause a use-after-free.\n\nThis patch addresses the issue by:\n\n1. Moved qfq_destroy_class into the critical section.\n\n2. Added sch_tree_lock protection to qfq_dump_class and\nqfq_dump_class_stats."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:15.237Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64"
        }
      ],
      "title": "net/sched: sch_qfq: Fix race condition on qfq_aggregate",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38477",
    "datePublished": "2025-07-28T11:21:38.319Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:44.755Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38332 (GCVE-0-2025-38332)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2026-01-02 15:30

Title

scsi: lpfc: Use memcpy() for BIOS version

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BIOS version The strlcat() with FORTIFY support is triggering a panic because it thinks the target buffer will overflow although the correct target buffer size is passed in. Anyway, instead of memset() with 0 followed by a strlcat(), just use memcpy() and ensure that the resulting buffer is NULL terminated. BIOSVersion is only used for the lpfc_printf_log() which expects a properly terminated string.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ac7bfaa099ec3e4d7…
	https://git.kernel.org/stable/c/b699bda5db818b684…
	https://git.kernel.org/stable/c/d34f2384d6df11a6c…
	https://git.kernel.org/stable/c/75ea8375c5a83f46c…
	https://git.kernel.org/stable/c/34c0a670556b24d36…
	https://git.kernel.org/stable/c/2f63bf0d2b146956a…
	https://git.kernel.org/stable/c/003baa7a1a152576d…
	https://git.kernel.org/stable/c/ae82eaf4aeea060bb…

Impacted products

Vendor

Product

Version

Linux

Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < ac7bfaa099ec3e4d7dfd0ab9726fc3bc7911365d (git)
Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < b699bda5db818b684ff62d140defd6394f38f3d6 (git)
Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < d34f2384d6df11a6c67039b612c2437f46e587e8 (git)
Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < 75ea8375c5a83f46c47bfb3de6217c7589a8df93 (git)
Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < 34c0a670556b24d36c9f8934227edb819ca5609e (git)
Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < 2f63bf0d2b146956a2f2ff3b25cee71019e64561 (git)
Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < 003baa7a1a152576d744bd655820449bbdb0248e (git)
Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < ae82eaf4aeea060bb736c3e20c0568b67c701d7d (git)

Linux

Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 5.4.295 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:41.860Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/lpfc/lpfc_sli.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ac7bfaa099ec3e4d7dfd0ab9726fc3bc7911365d",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "b699bda5db818b684ff62d140defd6394f38f3d6",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "d34f2384d6df11a6c67039b612c2437f46e587e8",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "75ea8375c5a83f46c47bfb3de6217c7589a8df93",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "34c0a670556b24d36c9f8934227edb819ca5609e",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "2f63bf0d2b146956a2f2ff3b25cee71019e64561",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "003baa7a1a152576d744bd655820449bbdb0248e",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "ae82eaf4aeea060bb736c3e20c0568b67c701d7d",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/lpfc/lpfc_sli.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Use memcpy() for BIOS version\n\nThe strlcat() with FORTIFY support is triggering a panic because it\nthinks the target buffer will overflow although the correct target\nbuffer size is passed in.\n\nAnyway, instead of memset() with 0 followed by a strlcat(), just use\nmemcpy() and ensure that the resulting buffer is NULL terminated.\n\nBIOSVersion is only used for the lpfc_printf_log() which expects a\nproperly terminated string."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:23.364Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ac7bfaa099ec3e4d7dfd0ab9726fc3bc7911365d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b699bda5db818b684ff62d140defd6394f38f3d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d34f2384d6df11a6c67039b612c2437f46e587e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/75ea8375c5a83f46c47bfb3de6217c7589a8df93"
        },
        {
          "url": "https://git.kernel.org/stable/c/34c0a670556b24d36c9f8934227edb819ca5609e"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f63bf0d2b146956a2f2ff3b25cee71019e64561"
        },
        {
          "url": "https://git.kernel.org/stable/c/003baa7a1a152576d744bd655820449bbdb0248e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae82eaf4aeea060bb736c3e20c0568b67c701d7d"
        }
      ],
      "title": "scsi: lpfc: Use memcpy() for BIOS version",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38332",
    "datePublished": "2025-07-10T08:15:05.102Z",
    "dateReserved": "2025-04-16T04:51:24.005Z",
    "dateUpdated": "2026-01-02T15:30:23.364Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38211 (GCVE-0-2025-38211)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2025-11-03 17:35

Title

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref") simplified cm_id resource management by freeing cm_id once all references to the cm_id were removed. The references are removed either upon completion of iw_cm event handlers or when the application destroys the cm_id. This commit introduced the use-after-free condition where cm_id_private object could still be in use by event handler works during the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs") addressed this use-after- free by flushing all pending works at the cm_id destruction. However, still another use-after-free possibility remained. It happens with the work objects allocated for each cm_id_priv within alloc_work_entries() during cm_id creation, and subsequently freed in dealloc_work_entries() once all references to the cm_id are removed. If the cm_id's last reference is decremented in the event handler work, the work object for the work itself gets removed, and causes the use- after-free BUG below: BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250 Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091 CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Workqueue: 0x0 (iw_cm_wq) Call Trace: <TASK> dump_stack_lvl+0x6a/0x90 print_report+0x174/0x554 ? __virt_addr_valid+0x208/0x430 ? __pwq_activate_work+0x1ff/0x250 kasan_report+0xae/0x170 ? __pwq_activate_work+0x1ff/0x250 __pwq_activate_work+0x1ff/0x250 pwq_dec_nr_in_flight+0x8c5/0xfb0 process_one_work+0xc11/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5ef/0xfd0 ? __pfx_worker_thread+0x10/0x10 kthread+0x3b0/0x770 ? __pfx_kthread+0x10/0x10 ? rcu_is_watching+0x11/0xb0 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 147416: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 alloc_work_entries+0xa9/0x260 [iw_cm] iw_cm_connect+0x23/0x4a0 [iw_cm] rdma_connect_locked+0xbfd/0x1920 [rdma_cm] nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma] cma_cm_event_handler+0xae/0x320 [rdma_cm] cma_work_handler+0x106/0x1b0 [rdma_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 147091: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kfree+0x13a/0x4b0 dealloc_work_entries+0x125/0x1f0 [iw_cm] iwcm_deref_id+0x6f/0xa0 [iw_cm] cm_work_handler+0x136/0x1ba0 [iw_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x2c/0x50 kasan_record_aux_stack+0xa3/0xb0 __queue_work+0x2ff/0x1390 queue_work_on+0x67/0xc0 cm_event_handler+0x46a/0x820 [iw_cm] siw_cm_upcall+0x330/0x650 [siw] siw_cm_work_handler+0x6b9/0x2b20 [siw] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 This BUG is reproducible by repeating the blktests test case nvme/061 for the rdma transport and the siw driver. To avoid the use-after-free of cm_id_private work objects, ensure that the last reference to the cm_id is decremented not in the event handler works, but in the cm_id destruction context. For that purpose, mo ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/013dcdf6f03bcedba…
	https://git.kernel.org/stable/c/bf7eff5e3a36c54bb…
	https://git.kernel.org/stable/c/3b4a50d733acad683…
	https://git.kernel.org/stable/c/78381dc8a6b61c9bb…
	https://git.kernel.org/stable/c/23a707bbcbea468ee…
	https://git.kernel.org/stable/c/764c9f69beabef8bd…
	https://git.kernel.org/stable/c/fd960b5ddf4faf00d…
	https://git.kernel.org/stable/c/6883b680e703c6b2e…

Impacted products

Vendor

Product

Version

Linux

Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 013dcdf6f03bcedbaf1669e3db71c34a197715b2 (git)
Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5 (git)
Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 3b4a50d733acad6831f6bd9288a76a80f70650ac (git)
Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 78381dc8a6b61c9bb9987d37b4d671b99767c4a1 (git)
Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 23a707bbcbea468eedb398832eeb7e8e0ceafd21 (git)
Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 764c9f69beabef8bdc651a7746c59f7a340d104f (git)
Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < fd960b5ddf4faf00da43babdd3acda68842e1f6a (git)
Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 6883b680e703c6b2efddb4e7a8d891ce1803d06b (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.95 , ≤ 6.6.* (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:29.579Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/iwcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "013dcdf6f03bcedbaf1669e3db71c34a197715b2",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "3b4a50d733acad6831f6bd9288a76a80f70650ac",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "78381dc8a6b61c9bb9987d37b4d671b99767c4a1",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "23a707bbcbea468eedb398832eeb7e8e0ceafd21",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "764c9f69beabef8bdc651a7746c59f7a340d104f",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "fd960b5ddf4faf00da43babdd3acda68842e1f6a",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "6883b680e703c6b2efddb4e7a8d891ce1803d06b",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/iwcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\n\nThe commit 59c68ac31e15 (\"iw_cm: free cm_id resources on the last\nderef\") simplified cm_id resource management by freeing cm_id once all\nreferences to the cm_id were removed. The references are removed either\nupon completion of iw_cm event handlers or when the application destroys\nthe cm_id. This commit introduced the use-after-free condition where\ncm_id_private object could still be in use by event handler works during\nthe destruction of cm_id. The commit aee2424246f9 (\"RDMA/iwcm: Fix a\nuse-after-free related to destroying CM IDs\") addressed this use-after-\nfree by flushing all pending works at the cm_id destruction.\n\nHowever, still another use-after-free possibility remained. It happens\nwith the work objects allocated for each cm_id_priv within\nalloc_work_entries() during cm_id creation, and subsequently freed in\ndealloc_work_entries() once all references to the cm_id are removed.\nIf the cm_id\u0027s last reference is decremented in the event handler work,\nthe work object for the work itself gets removed, and causes the use-\nafter-free BUG below:\n\n  BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\n  Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\n\n  CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n  Workqueue:  0x0 (iw_cm_wq)\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x6a/0x90\n   print_report+0x174/0x554\n   ? __virt_addr_valid+0x208/0x430\n   ? __pwq_activate_work+0x1ff/0x250\n   kasan_report+0xae/0x170\n   ? __pwq_activate_work+0x1ff/0x250\n   __pwq_activate_work+0x1ff/0x250\n   pwq_dec_nr_in_flight+0x8c5/0xfb0\n   process_one_work+0xc11/0x1460\n   ? __pfx_process_one_work+0x10/0x10\n   ? assign_work+0x16c/0x240\n   worker_thread+0x5ef/0xfd0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x3b0/0x770\n   ? __pfx_kthread+0x10/0x10\n   ? rcu_is_watching+0x11/0xb0\n   ? _raw_spin_unlock_irq+0x24/0x50\n   ? rcu_is_watching+0x11/0xb0\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x30/0x70\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e\n\n  Allocated by task 147416:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   alloc_work_entries+0xa9/0x260 [iw_cm]\n   iw_cm_connect+0x23/0x4a0 [iw_cm]\n   rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\n   nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\n   cma_cm_event_handler+0xae/0x320 [rdma_cm]\n   cma_work_handler+0x106/0x1b0 [rdma_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Freed by task 147091:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x37/0x60\n   __kasan_slab_free+0x4b/0x70\n   kfree+0x13a/0x4b0\n   dealloc_work_entries+0x125/0x1f0 [iw_cm]\n   iwcm_deref_id+0x6f/0xa0 [iw_cm]\n   cm_work_handler+0x136/0x1ba0 [iw_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Last potentially related work creation:\n   kasan_save_stack+0x2c/0x50\n   kasan_record_aux_stack+0xa3/0xb0\n   __queue_work+0x2ff/0x1390\n   queue_work_on+0x67/0xc0\n   cm_event_handler+0x46a/0x820 [iw_cm]\n   siw_cm_upcall+0x330/0x650 [siw]\n   siw_cm_work_handler+0x6b9/0x2b20 [siw]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\nThis BUG is reproducible by repeating the blktests test case nvme/061\nfor the rdma transport and the siw driver.\n\nTo avoid the use-after-free of cm_id_private work objects, ensure that\nthe last reference to the cm_id is decremented not in the event handler\nworks, but in the cm_id destruction context. For that purpose, mo\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:15:17.347Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21"
        },
        {
          "url": "https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b"
        }
      ],
      "title": "RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38211",
    "datePublished": "2025-07-04T13:37:30.307Z",
    "dateReserved": "2025-04-16T04:51:23.994Z",
    "dateUpdated": "2025-11-03T17:35:29.579Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2025:15008

Vulnerability from osv_almalinux

CVE-2025-38464 (GCVE-0-2025-38464)

CVE-2025-38477 (GCVE-0-2025-38477)

CVE-2025-38332 (GCVE-0-2025-38332)

CVE-2025-38211 (GCVE-0-2025-38211)

Tags

Sightings

Nomenclature