cvelistv5 - cve-2025-38211

CVE-2025-38211 (GCVE-0-2025-38211)

Vulnerability from cvelistv5

Published

2025-07-04 13:37

Modified

2025-07-28 04:15

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref") simplified cm_id resource management by freeing cm_id once all references to the cm_id were removed. The references are removed either upon completion of iw_cm event handlers or when the application destroys the cm_id. This commit introduced the use-after-free condition where cm_id_private object could still be in use by event handler works during the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs") addressed this use-after- free by flushing all pending works at the cm_id destruction. However, still another use-after-free possibility remained. It happens with the work objects allocated for each cm_id_priv within alloc_work_entries() during cm_id creation, and subsequently freed in dealloc_work_entries() once all references to the cm_id are removed. If the cm_id's last reference is decremented in the event handler work, the work object for the work itself gets removed, and causes the use- after-free BUG below: BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250 Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091 CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Workqueue: 0x0 (iw_cm_wq) Call Trace: <TASK> dump_stack_lvl+0x6a/0x90 print_report+0x174/0x554 ? __virt_addr_valid+0x208/0x430 ? __pwq_activate_work+0x1ff/0x250 kasan_report+0xae/0x170 ? __pwq_activate_work+0x1ff/0x250 __pwq_activate_work+0x1ff/0x250 pwq_dec_nr_in_flight+0x8c5/0xfb0 process_one_work+0xc11/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5ef/0xfd0 ? __pfx_worker_thread+0x10/0x10 kthread+0x3b0/0x770 ? __pfx_kthread+0x10/0x10 ? rcu_is_watching+0x11/0xb0 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 147416: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 alloc_work_entries+0xa9/0x260 [iw_cm] iw_cm_connect+0x23/0x4a0 [iw_cm] rdma_connect_locked+0xbfd/0x1920 [rdma_cm] nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma] cma_cm_event_handler+0xae/0x320 [rdma_cm] cma_work_handler+0x106/0x1b0 [rdma_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 147091: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kfree+0x13a/0x4b0 dealloc_work_entries+0x125/0x1f0 [iw_cm] iwcm_deref_id+0x6f/0xa0 [iw_cm] cm_work_handler+0x136/0x1ba0 [iw_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x2c/0x50 kasan_record_aux_stack+0xa3/0xb0 __queue_work+0x2ff/0x1390 queue_work_on+0x67/0xc0 cm_event_handler+0x46a/0x820 [iw_cm] siw_cm_upcall+0x330/0x650 [siw] siw_cm_work_handler+0x6b9/0x2b20 [siw] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 This BUG is reproducible by repeating the blktests test case nvme/061 for the rdma transport and the siw driver. To avoid the use-after-free of cm_id_private work objects, ensure that the last reference to the cm_id is decremented not in the event handler works, but in the cm_id destruction context. For that purpose, mo ---truncated---

References

►

URL

Tags

	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a

Impacted products

Vendor

Product

Version

►

Linux

Version: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4
Version: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4
Version: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4
Version: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4
Version: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4
Version: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4
Version: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4
Version: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4

Linux

Version: 4.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/iwcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "013dcdf6f03bcedbaf1669e3db71c34a197715b2",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "3b4a50d733acad6831f6bd9288a76a80f70650ac",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "78381dc8a6b61c9bb9987d37b4d671b99767c4a1",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "23a707bbcbea468eedb398832eeb7e8e0ceafd21",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "764c9f69beabef8bdc651a7746c59f7a340d104f",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "fd960b5ddf4faf00da43babdd3acda68842e1f6a",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "6883b680e703c6b2efddb4e7a8d891ce1803d06b",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/iwcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\n\nThe commit 59c68ac31e15 (\"iw_cm: free cm_id resources on the last\nderef\") simplified cm_id resource management by freeing cm_id once all\nreferences to the cm_id were removed. The references are removed either\nupon completion of iw_cm event handlers or when the application destroys\nthe cm_id. This commit introduced the use-after-free condition where\ncm_id_private object could still be in use by event handler works during\nthe destruction of cm_id. The commit aee2424246f9 (\"RDMA/iwcm: Fix a\nuse-after-free related to destroying CM IDs\") addressed this use-after-\nfree by flushing all pending works at the cm_id destruction.\n\nHowever, still another use-after-free possibility remained. It happens\nwith the work objects allocated for each cm_id_priv within\nalloc_work_entries() during cm_id creation, and subsequently freed in\ndealloc_work_entries() once all references to the cm_id are removed.\nIf the cm_id\u0027s last reference is decremented in the event handler work,\nthe work object for the work itself gets removed, and causes the use-\nafter-free BUG below:\n\n  BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\n  Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\n\n  CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n  Workqueue:  0x0 (iw_cm_wq)\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x6a/0x90\n   print_report+0x174/0x554\n   ? __virt_addr_valid+0x208/0x430\n   ? __pwq_activate_work+0x1ff/0x250\n   kasan_report+0xae/0x170\n   ? __pwq_activate_work+0x1ff/0x250\n   __pwq_activate_work+0x1ff/0x250\n   pwq_dec_nr_in_flight+0x8c5/0xfb0\n   process_one_work+0xc11/0x1460\n   ? __pfx_process_one_work+0x10/0x10\n   ? assign_work+0x16c/0x240\n   worker_thread+0x5ef/0xfd0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x3b0/0x770\n   ? __pfx_kthread+0x10/0x10\n   ? rcu_is_watching+0x11/0xb0\n   ? _raw_spin_unlock_irq+0x24/0x50\n   ? rcu_is_watching+0x11/0xb0\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x30/0x70\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e\n\n  Allocated by task 147416:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   alloc_work_entries+0xa9/0x260 [iw_cm]\n   iw_cm_connect+0x23/0x4a0 [iw_cm]\n   rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\n   nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\n   cma_cm_event_handler+0xae/0x320 [rdma_cm]\n   cma_work_handler+0x106/0x1b0 [rdma_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Freed by task 147091:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x37/0x60\n   __kasan_slab_free+0x4b/0x70\n   kfree+0x13a/0x4b0\n   dealloc_work_entries+0x125/0x1f0 [iw_cm]\n   iwcm_deref_id+0x6f/0xa0 [iw_cm]\n   cm_work_handler+0x136/0x1ba0 [iw_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Last potentially related work creation:\n   kasan_save_stack+0x2c/0x50\n   kasan_record_aux_stack+0xa3/0xb0\n   __queue_work+0x2ff/0x1390\n   queue_work_on+0x67/0xc0\n   cm_event_handler+0x46a/0x820 [iw_cm]\n   siw_cm_upcall+0x330/0x650 [siw]\n   siw_cm_work_handler+0x6b9/0x2b20 [siw]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\nThis BUG is reproducible by repeating the blktests test case nvme/061\nfor the rdma transport and the siw driver.\n\nTo avoid the use-after-free of cm_id_private work objects, ensure that\nthe last reference to the cm_id is decremented not in the event handler\nworks, but in the cm_id destruction context. For that purpose, mo\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:15:17.347Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21"
        },
        {
          "url": "https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b"
        }
      ],
      "title": "RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38211",
    "datePublished": "2025-07-04T13:37:30.307Z",
    "dateReserved": "2025-04-16T04:51:23.994Z",
    "dateUpdated": "2025-07-28T04:15:17.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38211\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-04T14:15:29.337\",\"lastModified\":\"2025-07-17T17:15:37.300\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\\n\\nThe commit 59c68ac31e15 (\\\"iw_cm: free cm_id resources on the last\\nderef\\\") simplified cm_id resource management by freeing cm_id once all\\nreferences to the cm_id were removed. The references are removed either\\nupon completion of iw_cm event handlers or when the application destroys\\nthe cm_id. This commit introduced the use-after-free condition where\\ncm_id_private object could still be in use by event handler works during\\nthe destruction of cm_id. The commit aee2424246f9 (\\\"RDMA/iwcm: Fix a\\nuse-after-free related to destroying CM IDs\\\") addressed this use-after-\\nfree by flushing all pending works at the cm_id destruction.\\n\\nHowever, still another use-after-free possibility remained. It happens\\nwith the work objects allocated for each cm_id_priv within\\nalloc_work_entries() during cm_id creation, and subsequently freed in\\ndealloc_work_entries() once all references to the cm_id are removed.\\nIf the cm_id\u0027s last reference is decremented in the event handler work,\\nthe work object for the work itself gets removed, and causes the use-\\nafter-free BUG below:\\n\\n  BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\\n  Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\\n\\n  CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\\n  Workqueue:  0x0 (iw_cm_wq)\\n  Call Trace:\\n   \u003cTASK\u003e\\n   dump_stack_lvl+0x6a/0x90\\n   print_report+0x174/0x554\\n   ? __virt_addr_valid+0x208/0x430\\n   ? __pwq_activate_work+0x1ff/0x250\\n   kasan_report+0xae/0x170\\n   ? __pwq_activate_work+0x1ff/0x250\\n   __pwq_activate_work+0x1ff/0x250\\n   pwq_dec_nr_in_flight+0x8c5/0xfb0\\n   process_one_work+0xc11/0x1460\\n   ? __pfx_process_one_work+0x10/0x10\\n   ? assign_work+0x16c/0x240\\n   worker_thread+0x5ef/0xfd0\\n   ? __pfx_worker_thread+0x10/0x10\\n   kthread+0x3b0/0x770\\n   ? __pfx_kthread+0x10/0x10\\n   ? rcu_is_watching+0x11/0xb0\\n   ? _raw_spin_unlock_irq+0x24/0x50\\n   ? rcu_is_watching+0x11/0xb0\\n   ? __pfx_kthread+0x10/0x10\\n   ret_from_fork+0x30/0x70\\n   ? __pfx_kthread+0x10/0x10\\n   ret_from_fork_asm+0x1a/0x30\\n   \u003c/TASK\u003e\\n\\n  Allocated by task 147416:\\n   kasan_save_stack+0x2c/0x50\\n   kasan_save_track+0x10/0x30\\n   __kasan_kmalloc+0xa6/0xb0\\n   alloc_work_entries+0xa9/0x260 [iw_cm]\\n   iw_cm_connect+0x23/0x4a0 [iw_cm]\\n   rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\\n   nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\\n   cma_cm_event_handler+0xae/0x320 [rdma_cm]\\n   cma_work_handler+0x106/0x1b0 [rdma_cm]\\n   process_one_work+0x84f/0x1460\\n   worker_thread+0x5ef/0xfd0\\n   kthread+0x3b0/0x770\\n   ret_from_fork+0x30/0x70\\n   ret_from_fork_asm+0x1a/0x30\\n\\n  Freed by task 147091:\\n   kasan_save_stack+0x2c/0x50\\n   kasan_save_track+0x10/0x30\\n   kasan_save_free_info+0x37/0x60\\n   __kasan_slab_free+0x4b/0x70\\n   kfree+0x13a/0x4b0\\n   dealloc_work_entries+0x125/0x1f0 [iw_cm]\\n   iwcm_deref_id+0x6f/0xa0 [iw_cm]\\n   cm_work_handler+0x136/0x1ba0 [iw_cm]\\n   process_one_work+0x84f/0x1460\\n   worker_thread+0x5ef/0xfd0\\n   kthread+0x3b0/0x770\\n   ret_from_fork+0x30/0x70\\n   ret_from_fork_asm+0x1a/0x30\\n\\n  Last potentially related work creation:\\n   kasan_save_stack+0x2c/0x50\\n   kasan_record_aux_stack+0xa3/0xb0\\n   __queue_work+0x2ff/0x1390\\n   queue_work_on+0x67/0xc0\\n   cm_event_handler+0x46a/0x820 [iw_cm]\\n   siw_cm_upcall+0x330/0x650 [siw]\\n   siw_cm_work_handler+0x6b9/0x2b20 [siw]\\n   process_one_work+0x84f/0x1460\\n   worker_thread+0x5ef/0xfd0\\n   kthread+0x3b0/0x770\\n   ret_from_fork+0x30/0x70\\n   ret_from_fork_asm+0x1a/0x30\\n\\nThis BUG is reproducible by repeating the blktests test case nvme/061\\nfor the rdma transport and the siw driver.\\n\\nTo avoid the use-after-free of cm_id_private work objects, ensure that\\nthe last reference to the cm_id is decremented not in the event handler\\nworks, but in the cm_id destruction context. For that purpose, mo\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/iwcm: Correcci\u00f3n del use-after-free de objetos de trabajo despu\u00e9s de la destrucci\u00f3n de cm_id El commit 59c68ac31e15 (\\\"iw_cm: liberar recursos de cm_id en la \u00faltima desreferencia\\\") simplific\u00f3 la gesti\u00f3n de recursos de cm_id al liberar cm_id una vez que se eliminaron todas las referencias a cm_id. Las referencias se eliminan al completarse los controladores de eventos iw_cm o cuando la aplicaci\u00f3n destruye cm_id. Este commit introdujo la condici\u00f3n de use-after-free donde el objeto cm_id_private a\u00fan podr\u00eda estar en uso por los controladores de eventos durante la destrucci\u00f3n de cm_id. El commit aee2424246f9 (\\\"RDMA/iwcm: Correcci\u00f3n de un use-after-free relacionado con la destrucci\u00f3n de los ID de CM\\\") abord\u00f3 este use-after-free al vaciar todos los trabajos pendientes en la destrucci\u00f3n de cm_id. Sin embargo, a\u00fan quedaba otra posibilidad de use-after-free. Esto sucede con los objetos de trabajo asignados para cada cm_id_priv dentro de alloc_work_entries() durante la creaci\u00f3n de cm_id, y posteriormente se liberan en dealloc_work_entries() una vez que se eliminan todas las referencias a cm_id. Si la \u00faltima referencia de cm_id se decrementa en el manejador de eventos work, el objeto de trabajo para el trabajo en s\u00ed se elimina y causa el siguiente ERROR de use-after-free: ERROR: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250 Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091 CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Workqueue: 0x0 (iw_cm_wq) Call Trace:  dump_stack_lvl+0x6a/0x90 print_report+0x174/0x554 ? __virt_addr_valid+0x208/0x430 ? __pwq_activate_work+0x1ff/0x250 kasan_report+0xae/0x170 ? __pwq_activate_work+0x1ff/0x250 __pwq_activate_work+0x1ff/0x250 pwq_dec_nr_in_flight+0x8c5/0xfb0 process_one_work+0xc11/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5ef/0xfd0 ? __pfx_worker_thread+0x10/0x10 kthread+0x3b0/0x770 ? __pfx_kthread+0x10/0x10 ? rcu_is_watching+0x11/0xb0 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30  Allocated by task 147416: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 alloc_work_entries+0xa9/0x260 [iw_cm] iw_cm_connect+0x23/0x4a0 [iw_cm] rdma_connect_locked+0xbfd/0x1920 [rdma_cm] nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma] cma_cm_event_handler+0xae/0x320 [rdma_cm] cma_work_handler+0x106/0x1b0 [rdma_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 147091: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kfree+0x13a/0x4b0 dealloc_work_entries+0x125/0x1f0 [iw_cm] iwcm_deref_id+0x6f/0xa0 [iw_cm] cm_work_handler+0x136/0x1ba0 [iw_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x2c/0x50 kasan_record_aux_stack+0xa3/0xb0 __queue_work+0x2ff/0x1390 queue_work_on+0x67/0xc0 cm_event_handler+0x46a/0x820 [iw_cm] siw_cm_upcall+0x330/0x650 [siw] siw_cm_work_handler+0x6b9/0x2b20 [siw] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Este error se puede reproducir repitiendo el caso de prueba blktests nvme/061 para el transporte rdma y el controlador siw. Para evitar el uso posterior a la liberaci\u00f3n de objetos de trabajo cm_id_private, aseg\u00farese de que la \u00faltima referencia a cm_id se decremente no en los trabajos del controlador de eventos, sino en el contexto de destrucci\u00f3n de cm_id. Para ello, mo ---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}

fkie_cve-2025-38211

Vulnerability from fkie_nvd

Published

2025-07-04 14:15

Modified

2025-07-17 17:15

Severity ?

Summary

References

▶	URL	Tags
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\n\nThe commit 59c68ac31e15 (\"iw_cm: free cm_id resources on the last\nderef\") simplified cm_id resource management by freeing cm_id once all\nreferences to the cm_id were removed. The references are removed either\nupon completion of iw_cm event handlers or when the application destroys\nthe cm_id. This commit introduced the use-after-free condition where\ncm_id_private object could still be in use by event handler works during\nthe destruction of cm_id. The commit aee2424246f9 (\"RDMA/iwcm: Fix a\nuse-after-free related to destroying CM IDs\") addressed this use-after-\nfree by flushing all pending works at the cm_id destruction.\n\nHowever, still another use-after-free possibility remained. It happens\nwith the work objects allocated for each cm_id_priv within\nalloc_work_entries() during cm_id creation, and subsequently freed in\ndealloc_work_entries() once all references to the cm_id are removed.\nIf the cm_id\u0027s last reference is decremented in the event handler work,\nthe work object for the work itself gets removed, and causes the use-\nafter-free BUG below:\n\n  BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\n  Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\n\n  CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n  Workqueue:  0x0 (iw_cm_wq)\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x6a/0x90\n   print_report+0x174/0x554\n   ? __virt_addr_valid+0x208/0x430\n   ? __pwq_activate_work+0x1ff/0x250\n   kasan_report+0xae/0x170\n   ? __pwq_activate_work+0x1ff/0x250\n   __pwq_activate_work+0x1ff/0x250\n   pwq_dec_nr_in_flight+0x8c5/0xfb0\n   process_one_work+0xc11/0x1460\n   ? __pfx_process_one_work+0x10/0x10\n   ? assign_work+0x16c/0x240\n   worker_thread+0x5ef/0xfd0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x3b0/0x770\n   ? __pfx_kthread+0x10/0x10\n   ? rcu_is_watching+0x11/0xb0\n   ? _raw_spin_unlock_irq+0x24/0x50\n   ? rcu_is_watching+0x11/0xb0\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x30/0x70\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e\n\n  Allocated by task 147416:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   alloc_work_entries+0xa9/0x260 [iw_cm]\n   iw_cm_connect+0x23/0x4a0 [iw_cm]\n   rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\n   nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\n   cma_cm_event_handler+0xae/0x320 [rdma_cm]\n   cma_work_handler+0x106/0x1b0 [rdma_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Freed by task 147091:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x37/0x60\n   __kasan_slab_free+0x4b/0x70\n   kfree+0x13a/0x4b0\n   dealloc_work_entries+0x125/0x1f0 [iw_cm]\n   iwcm_deref_id+0x6f/0xa0 [iw_cm]\n   cm_work_handler+0x136/0x1ba0 [iw_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Last potentially related work creation:\n   kasan_save_stack+0x2c/0x50\n   kasan_record_aux_stack+0xa3/0xb0\n   __queue_work+0x2ff/0x1390\n   queue_work_on+0x67/0xc0\n   cm_event_handler+0x46a/0x820 [iw_cm]\n   siw_cm_upcall+0x330/0x650 [siw]\n   siw_cm_work_handler+0x6b9/0x2b20 [siw]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\nThis BUG is reproducible by repeating the blktests test case nvme/061\nfor the rdma transport and the siw driver.\n\nTo avoid the use-after-free of cm_id_private work objects, ensure that\nthe last reference to the cm_id is decremented not in the event handler\nworks, but in the cm_id destruction context. For that purpose, mo\n---truncated---"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/iwcm: Correcci\u00f3n del use-after-free de objetos de trabajo despu\u00e9s de la destrucci\u00f3n de cm_id El commit 59c68ac31e15 (\"iw_cm: liberar recursos de cm_id en la \u00faltima desreferencia\") simplific\u00f3 la gesti\u00f3n de recursos de cm_id al liberar cm_id una vez que se eliminaron todas las referencias a cm_id. Las referencias se eliminan al completarse los controladores de eventos iw_cm o cuando la aplicaci\u00f3n destruye cm_id. Este commit introdujo la condici\u00f3n de use-after-free donde el objeto cm_id_private a\u00fan podr\u00eda estar en uso por los controladores de eventos durante la destrucci\u00f3n de cm_id. El commit aee2424246f9 (\"RDMA/iwcm: Correcci\u00f3n de un use-after-free relacionado con la destrucci\u00f3n de los ID de CM\") abord\u00f3 este use-after-free al vaciar todos los trabajos pendientes en la destrucci\u00f3n de cm_id. Sin embargo, a\u00fan quedaba otra posibilidad de use-after-free. Esto sucede con los objetos de trabajo asignados para cada cm_id_priv dentro de alloc_work_entries() durante la creaci\u00f3n de cm_id, y posteriormente se liberan en dealloc_work_entries() una vez que se eliminan todas las referencias a cm_id. Si la \u00faltima referencia de cm_id se decrementa en el manejador de eventos work, el objeto de trabajo para el trabajo en s\u00ed se elimina y causa el siguiente ERROR de use-after-free: ERROR: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250 Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091 CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Workqueue: 0x0 (iw_cm_wq) Call Trace:  dump_stack_lvl+0x6a/0x90 print_report+0x174/0x554 ? __virt_addr_valid+0x208/0x430 ? __pwq_activate_work+0x1ff/0x250 kasan_report+0xae/0x170 ? __pwq_activate_work+0x1ff/0x250 __pwq_activate_work+0x1ff/0x250 pwq_dec_nr_in_flight+0x8c5/0xfb0 process_one_work+0xc11/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5ef/0xfd0 ? __pfx_worker_thread+0x10/0x10 kthread+0x3b0/0x770 ? __pfx_kthread+0x10/0x10 ? rcu_is_watching+0x11/0xb0 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30  Allocated by task 147416: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 alloc_work_entries+0xa9/0x260 [iw_cm] iw_cm_connect+0x23/0x4a0 [iw_cm] rdma_connect_locked+0xbfd/0x1920 [rdma_cm] nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma] cma_cm_event_handler+0xae/0x320 [rdma_cm] cma_work_handler+0x106/0x1b0 [rdma_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 147091: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kfree+0x13a/0x4b0 dealloc_work_entries+0x125/0x1f0 [iw_cm] iwcm_deref_id+0x6f/0xa0 [iw_cm] cm_work_handler+0x136/0x1ba0 [iw_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x2c/0x50 kasan_record_aux_stack+0xa3/0xb0 __queue_work+0x2ff/0x1390 queue_work_on+0x67/0xc0 cm_event_handler+0x46a/0x820 [iw_cm] siw_cm_upcall+0x330/0x650 [siw] siw_cm_work_handler+0x6b9/0x2b20 [siw] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Este error se puede reproducir repitiendo el caso de prueba blktests nvme/061 para el transporte rdma y el controlador siw. Para evitar el uso posterior a la liberaci\u00f3n de objetos de trabajo cm_id_private, aseg\u00farese de que la \u00faltima referencia a cm_id se decremente no en los trabajos del controlador de eventos, sino en el contexto de destrucci\u00f3n de cm_id. Para ello, mo ---truncated---"
    }
  ],
  "id": "CVE-2025-38211",
  "lastModified": "2025-07-17T17:15:37.300",
  "metrics": {},
  "published": "2025-07-04T14:15:29.337",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}

wid-sec-w-2025-1465

Vulnerability from csaf_certbund

Published

2025-07-06 22:00

Modified

2025-08-12 22:00

Summary

Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff

Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder nicht näher spezifizierte Auswirkungen zu erzielen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder nicht n\u00e4her spezifizierte Auswirkungen zu erzielen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1465 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1465.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1465 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1465"
      },
      {
        "category": "external",
        "summary": "Kernel CVE Announce Mailingliste",
        "url": "https://lore.kernel.org/linux-cve-announce/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38177",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070411-CVE-2025-38177-bd6c@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38178",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070407-CVE-2025-38178-8846@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38179",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070410-CVE-2025-38179-45b4@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38180",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070410-CVE-2025-38180-c6d0@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38181",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070411-CVE-2025-38181-3497@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38182",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070411-CVE-2025-38182-fd0c@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38183",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070411-CVE-2025-38183-1283@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38184",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070412-CVE-2025-38184-d45c@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38185",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070412-CVE-2025-38185-76cb@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38186",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070412-CVE-2025-38186-6542@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38187",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070413-CVE-2025-38187-dafd@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38188",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070413-CVE-2025-38188-e0a5@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38189",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070414-CVE-2025-38189-5706@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38190",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070414-CVE-2025-38190-5b22@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38191",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070414-CVE-2025-38191-ee47@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38192",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070415-CVE-2025-38192-6a15@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38193",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070415-CVE-2025-38193-0fb1@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38194",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070415-CVE-2025-38194-1c50@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38195",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070416-CVE-2025-38195-1f8b@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38196",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070416-CVE-2025-38196-ba59@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38197",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070416-CVE-2025-38197-0bd2@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38198",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070417-CVE-2025-38198-b902@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38199",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070417-CVE-2025-38199-287e@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38200",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070418-CVE-2025-38200-47d9@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38201",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070418-CVE-2025-38201-9575@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38202",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070418-CVE-2025-38202-bef0@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38203",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070419-CVE-2025-38203-8c33@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38204",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070419-CVE-2025-38204-c216@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38205",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070419-CVE-2025-38205-0316@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38206",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070420-CVE-2025-38206-a077@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38207",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070420-CVE-2025-38207-e2ea@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38208",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070420-CVE-2025-38208-97e1@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38209",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070421-CVE-2025-38209-52b8@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38210",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070421-CVE-2025-38210-3804@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38211",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070422-CVE-2025-38211-215a@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38212",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070422-CVE-2025-38212-5bd9@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38213",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070422-CVE-2025-38213-c3e3@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38214",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070423-CVE-2025-38214-539a@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38215",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070423-CVE-2025-38215-ddbd@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38216",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070423-CVE-2025-38216-7786@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38217",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070424-CVE-2025-38217-d1ab@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38218",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070424-CVE-2025-38218-a5e8@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38219",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070424-CVE-2025-38219-b284@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38220",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070425-CVE-2025-38220-a235@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38221",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070425-CVE-2025-38221-f152@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38222",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070426-CVE-2025-38222-3cfe@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38223",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070426-CVE-2025-38223-2e38@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38224",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070426-CVE-2025-38224-5e01@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38225",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070427-CVE-2025-38225-75f6@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38226",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070427-CVE-2025-38226-e5b5@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38227",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070427-CVE-2025-38227-f91b@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38228",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070428-CVE-2025-38228-67fb@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38229",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070428-CVE-2025-38229-d2d5@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38230",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070429-CVE-2025-38230-e106@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38231",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070429-CVE-2025-38231-c61c@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38232",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070429-CVE-2025-38232-8112@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38233",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070430-CVE-2025-38233-38e0@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38234",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070430-CVE-2025-38234-6984@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38235",
        "url": "https://lore.kernel.org/linux-cve-announce/2025070619-CVE-2025-38235-0098@gregkh/"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7653-1 vom 2025-07-17",
        "url": "https://ubuntu.com/security/notices/USN-7653-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7649-1 vom 2025-07-17",
        "url": "https://ubuntu.com/security/notices/USN-7649-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7650-1 vom 2025-07-17",
        "url": "https://ubuntu.com/security/notices/USN-7650-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7655-1 vom 2025-07-18",
        "url": "https://ubuntu.com/security/notices/USN-7655-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7649-2 vom 2025-07-22",
        "url": "https://ubuntu.com/security/notices/USN-7649-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7665-1 vom 2025-07-22",
        "url": "https://ubuntu.com/security/notices/USN-7665-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7665-2 vom 2025-07-24",
        "url": "https://ubuntu.com/security/notices/USN-7665-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7671-1 vom 2025-07-25",
        "url": "https://ubuntu.com/security/notices/USN-7671-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7671-2 vom 2025-07-29",
        "url": "https://ubuntu.com/security/notices/USN-7671-2"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:02588-1 vom 2025-08-01",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VQYPF6FAXKWBHQ4POBUPZVPW4L73XJR5/"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.10-2025-100 vom 2025-08-05",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2025-100.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.10-2025-098 vom 2025-08-05",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2025-098.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7671-3 vom 2025-08-04",
        "url": "https://ubuntu.com/security/notices/USN-7671-3"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7686-1 vom 2025-08-05",
        "url": "https://ubuntu.com/security/notices/USN-7686-1"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.10-2025-101 vom 2025-08-09",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2025-101.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5973 vom 2025-08-12",
        "url": "https://lists.debian.org/debian-security-announce/2025/msg00137.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4271 vom 2025-08-13",
        "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Linux Kernel: Mehrere Schwachstellen erm\u00f6glichen Denial of Service",
    "tracking": {
      "current_release_date": "2025-08-12T22:00:00.000+00:00",
      "generator": {
        "date": "2025-08-13T06:22:59.084+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1465",
      "initial_release_date": "2025-07-06T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-07-06T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-07-17T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2025-07-21T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2025-07-22T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2025-07-24T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2025-07-27T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2025-07-29T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2025-08-03T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2025-08-04T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2025-08-05T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2025-08-10T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2025-08-12T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Debian aufgenommen"
        }
      ],
      "status": "final",
      "version": "12"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c6.16-rc5",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.16-rc5",
                  "product_id": "T045080"
                }
              },
              {
                "category": "product_version",
                "name": "6.16-rc5",
                "product": {
                  "name": "Open Source Linux Kernel 6.16-rc5",
                  "product_id": "T045080-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.16-rc5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.15.5",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.15.5",
                  "product_id": "T045081"
                }
              },
              {
                "category": "product_version",
                "name": "6.15.5",
                "product": {
                  "name": "Open Source Linux Kernel 6.15.5",
                  "product_id": "T045081-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.15.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.12.36",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.12.36",
                  "product_id": "T045082"
                }
              },
              {
                "category": "product_version",
                "name": "6.12.36",
                "product": {
                  "name": "Open Source Linux Kernel 6.12.36",
                  "product_id": "T045082-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.12.36"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.6.96",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.6.96",
                  "product_id": "T045083"
                }
              },
              {
                "category": "product_version",
                "name": "6.6.96",
                "product": {
                  "name": "Open Source Linux Kernel 6.6.96",
                  "product_id": "T045083-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.6.96"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.1.143",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.1.143",
                  "product_id": "T045084"
                }
              },
              {
                "category": "product_version",
                "name": "6.1.143",
                "product": {
                  "name": "Open Source Linux Kernel 6.1.143",
                  "product_id": "T045084-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.1.143"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Linux Kernel"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-38177",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38177"
    },
    {
      "cve": "CVE-2025-38178",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38178"
    },
    {
      "cve": "CVE-2025-38179",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38179"
    },
    {
      "cve": "CVE-2025-38180",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38180"
    },
    {
      "cve": "CVE-2025-38181",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38181"
    },
    {
      "cve": "CVE-2025-38182",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38182"
    },
    {
      "cve": "CVE-2025-38183",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38183"
    },
    {
      "cve": "CVE-2025-38184",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38184"
    },
    {
      "cve": "CVE-2025-38185",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38185"
    },
    {
      "cve": "CVE-2025-38186",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38186"
    },
    {
      "cve": "CVE-2025-38187",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38187"
    },
    {
      "cve": "CVE-2025-38188",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38188"
    },
    {
      "cve": "CVE-2025-38189",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38189"
    },
    {
      "cve": "CVE-2025-38190",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38190"
    },
    {
      "cve": "CVE-2025-38191",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38191"
    },
    {
      "cve": "CVE-2025-38192",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38192"
    },
    {
      "cve": "CVE-2025-38193",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38193"
    },
    {
      "cve": "CVE-2025-38194",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38194"
    },
    {
      "cve": "CVE-2025-38195",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38195"
    },
    {
      "cve": "CVE-2025-38196",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38196"
    },
    {
      "cve": "CVE-2025-38197",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38197"
    },
    {
      "cve": "CVE-2025-38198",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38198"
    },
    {
      "cve": "CVE-2025-38199",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38199"
    },
    {
      "cve": "CVE-2025-38200",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38200"
    },
    {
      "cve": "CVE-2025-38201",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38201"
    },
    {
      "cve": "CVE-2025-38202",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38202"
    },
    {
      "cve": "CVE-2025-38203",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38203"
    },
    {
      "cve": "CVE-2025-38204",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38204"
    },
    {
      "cve": "CVE-2025-38205",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38205"
    },
    {
      "cve": "CVE-2025-38206",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38206"
    },
    {
      "cve": "CVE-2025-38207",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38207"
    },
    {
      "cve": "CVE-2025-38208",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38208"
    },
    {
      "cve": "CVE-2025-38209",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38209"
    },
    {
      "cve": "CVE-2025-38210",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38210"
    },
    {
      "cve": "CVE-2025-38211",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38211"
    },
    {
      "cve": "CVE-2025-38212",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38212"
    },
    {
      "cve": "CVE-2025-38213",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38213"
    },
    {
      "cve": "CVE-2025-38214",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38214"
    },
    {
      "cve": "CVE-2025-38215",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38215"
    },
    {
      "cve": "CVE-2025-38216",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38216"
    },
    {
      "cve": "CVE-2025-38217",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38217"
    },
    {
      "cve": "CVE-2025-38218",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38218"
    },
    {
      "cve": "CVE-2025-38219",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38219"
    },
    {
      "cve": "CVE-2025-38220",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38220"
    },
    {
      "cve": "CVE-2025-38221",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38221"
    },
    {
      "cve": "CVE-2025-38222",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38222"
    },
    {
      "cve": "CVE-2025-38223",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38223"
    },
    {
      "cve": "CVE-2025-38224",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38224"
    },
    {
      "cve": "CVE-2025-38225",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38225"
    },
    {
      "cve": "CVE-2025-38226",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38226"
    },
    {
      "cve": "CVE-2025-38227",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38227"
    },
    {
      "cve": "CVE-2025-38228",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38228"
    },
    {
      "cve": "CVE-2025-38229",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38229"
    },
    {
      "cve": "CVE-2025-38230",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38230"
    },
    {
      "cve": "CVE-2025-38231",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38231"
    },
    {
      "cve": "CVE-2025-38232",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38232"
    },
    {
      "cve": "CVE-2025-38233",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38233"
    },
    {
      "cve": "CVE-2025-38234",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38234"
    },
    {
      "cve": "CVE-2025-38235",
      "product_status": {
        "known_affected": [
          "T045080",
          "2951",
          "T002207",
          "T045082",
          "T045081",
          "T000126",
          "T045084",
          "T045083",
          "398363"
        ]
      },
      "release_date": "2025-07-06T22:00:00.000+00:00",
      "title": "CVE-2025-38235"
    }
  ]
}

ghsa-wcw7-g3wh-rxf7

Vulnerability from github

Published

2025-07-04 15:31

Modified

2025-07-17 18:31

Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref") simplified cm_id resource management by freeing cm_id once all references to the cm_id were removed. The references are removed either upon completion of iw_cm event handlers or when the application destroys the cm_id. This commit introduced the use-after-free condition where cm_id_private object could still be in use by event handler works during the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs") addressed this use-after- free by flushing all pending works at the cm_id destruction.

However, still another use-after-free possibility remained. It happens with the work objects allocated for each cm_id_priv within alloc_work_entries() during cm_id creation, and subsequently freed in dealloc_work_entries() once all references to the cm_id are removed. If the cm_id's last reference is decremented in the event handler work, the work object for the work itself gets removed, and causes the use- after-free BUG below:

BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250 Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091

CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Workqueue: 0x0 (iw_cm_wq) Call Trace: dump_stack_lvl+0x6a/0x90 print_report+0x174/0x554 ? __virt_addr_valid+0x208/0x430 ? __pwq_activate_work+0x1ff/0x250 kasan_report+0xae/0x170 ? __pwq_activate_work+0x1ff/0x250 __pwq_activate_work+0x1ff/0x250 pwq_dec_nr_in_flight+0x8c5/0xfb0 process_one_work+0xc11/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5ef/0xfd0 ? __pfx_worker_thread+0x10/0x10 kthread+0x3b0/0x770 ? __pfx_kthread+0x10/0x10 ? rcu_is_watching+0x11/0xb0 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30

Allocated by task 147416: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 alloc_work_entries+0xa9/0x260 [iw_cm] iw_cm_connect+0x23/0x4a0 [iw_cm] rdma_connect_locked+0xbfd/0x1920 [rdma_cm] nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma] cma_cm_event_handler+0xae/0x320 [rdma_cm] cma_work_handler+0x106/0x1b0 [rdma_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30

Freed by task 147091: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kfree+0x13a/0x4b0 dealloc_work_entries+0x125/0x1f0 [iw_cm] iwcm_deref_id+0x6f/0xa0 [iw_cm] cm_work_handler+0x136/0x1ba0 [iw_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30

Last potentially related work creation: kasan_save_stack+0x2c/0x50 kasan_record_aux_stack+0xa3/0xb0 __queue_work+0x2ff/0x1390 queue_work_on+0x67/0xc0 cm_event_handler+0x46a/0x820 [iw_cm] siw_cm_upcall+0x330/0x650 [siw] siw_cm_work_handler+0x6b9/0x2b20 [siw] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30

This BUG is reproducible by repeating the blktests test case nvme/061 for the rdma transport and the siw driver.

To avoid the use-after-free of cm_id_private work objects, ensure that the last reference to the cm_id is decremented not in the event handler works, but in the cm_id destruction context. For that purpose, mo ---truncated---

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-38211"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-04T14:15:29Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\n\nThe commit 59c68ac31e15 (\"iw_cm: free cm_id resources on the last\nderef\") simplified cm_id resource management by freeing cm_id once all\nreferences to the cm_id were removed. The references are removed either\nupon completion of iw_cm event handlers or when the application destroys\nthe cm_id. This commit introduced the use-after-free condition where\ncm_id_private object could still be in use by event handler works during\nthe destruction of cm_id. The commit aee2424246f9 (\"RDMA/iwcm: Fix a\nuse-after-free related to destroying CM IDs\") addressed this use-after-\nfree by flushing all pending works at the cm_id destruction.\n\nHowever, still another use-after-free possibility remained. It happens\nwith the work objects allocated for each cm_id_priv within\nalloc_work_entries() during cm_id creation, and subsequently freed in\ndealloc_work_entries() once all references to the cm_id are removed.\nIf the cm_id\u0027s last reference is decremented in the event handler work,\nthe work object for the work itself gets removed, and causes the use-\nafter-free BUG below:\n\n  BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\n  Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\n\n  CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n  Workqueue:  0x0 (iw_cm_wq)\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x6a/0x90\n   print_report+0x174/0x554\n   ? __virt_addr_valid+0x208/0x430\n   ? __pwq_activate_work+0x1ff/0x250\n   kasan_report+0xae/0x170\n   ? __pwq_activate_work+0x1ff/0x250\n   __pwq_activate_work+0x1ff/0x250\n   pwq_dec_nr_in_flight+0x8c5/0xfb0\n   process_one_work+0xc11/0x1460\n   ? __pfx_process_one_work+0x10/0x10\n   ? assign_work+0x16c/0x240\n   worker_thread+0x5ef/0xfd0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x3b0/0x770\n   ? __pfx_kthread+0x10/0x10\n   ? rcu_is_watching+0x11/0xb0\n   ? _raw_spin_unlock_irq+0x24/0x50\n   ? rcu_is_watching+0x11/0xb0\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x30/0x70\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e\n\n  Allocated by task 147416:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   alloc_work_entries+0xa9/0x260 [iw_cm]\n   iw_cm_connect+0x23/0x4a0 [iw_cm]\n   rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\n   nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\n   cma_cm_event_handler+0xae/0x320 [rdma_cm]\n   cma_work_handler+0x106/0x1b0 [rdma_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Freed by task 147091:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x37/0x60\n   __kasan_slab_free+0x4b/0x70\n   kfree+0x13a/0x4b0\n   dealloc_work_entries+0x125/0x1f0 [iw_cm]\n   iwcm_deref_id+0x6f/0xa0 [iw_cm]\n   cm_work_handler+0x136/0x1ba0 [iw_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Last potentially related work creation:\n   kasan_save_stack+0x2c/0x50\n   kasan_record_aux_stack+0xa3/0xb0\n   __queue_work+0x2ff/0x1390\n   queue_work_on+0x67/0xc0\n   cm_event_handler+0x46a/0x820 [iw_cm]\n   siw_cm_upcall+0x330/0x650 [siw]\n   siw_cm_work_handler+0x6b9/0x2b20 [siw]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\nThis BUG is reproducible by repeating the blktests test case nvme/061\nfor the rdma transport and the siw driver.\n\nTo avoid the use-after-free of cm_id_private work objects, ensure that\nthe last reference to the cm_id is decremented not in the event handler\nworks, but in the cm_id destruction context. For that purpose, mo\n---truncated---",
  "id": "GHSA-wcw7-g3wh-rxf7",
  "modified": "2025-07-17T18:31:09Z",
  "published": "2025-07-04T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38211"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-38211 (GCVE-0-2025-38211)

Vulnerability from cvelistv5

fkie_cve-2025-38211

Vulnerability from fkie_nvd

wid-sec-w-2025-1465

Vulnerability from csaf_certbund

ghsa-wcw7-g3wh-rxf7

Vulnerability from github

Tags

Sightings

Nomenclature