CVE-2025-37759

In the Linux kernel, the following vulnerability has been resolved: ublk: fix handling recovery & reissue in ublk_abort_queue() Commit 8284066946e6 ("ublk: grab request reference when the request is handled by userspace") doesn't grab request reference in case of recovery reissue. Then the request can be requeued & re-dispatch & failed when canceling uring command. If it is one zc request, the request can be freed before io_uring returns the zc buffer back, then cause kernel panic: [ 126.773061] BUG: kernel NULL pointer dereference, address: 00000000000000c8 [ 126.773657] #PF: supervisor read access in kernel mode [ 126.774052] #PF: error_code(0x0000) - not-present page [ 126.774455] PGD 0 P4D 0 [ 126.774698] Oops: Oops: 0000 [#1] SMP NOPTI [ 126.775034] CPU: 13 UID: 0 PID: 1612 Comm: kworker/u64:55 Not tainted 6.14.0_blk+ #182 PREEMPT(full) [ 126.775676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 [ 126.776275] Workqueue: iou_exit io_ring_exit_work [ 126.776651] RIP: 0010:ublk_io_release+0x14/0x130 [ublk_drv] Fixes it by always grabbing request reference for aborting the request.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0a21d259ca4d6310fdfcc0284ebbc000e66cbf70	Patch
https://git.kernel.org/stable/c/5d34a30efac9c9c93e150130caa940c0df6053c1	Patch
https://git.kernel.org/stable/c/6ee6bd5d4fce502a5b5a2ea805e9ff16e6aa890f	Patch
https://git.kernel.org/stable/c/caa5c8a2358604f38bf0a4afaa5eacda13763067	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::

History

06 Nov 2025, 21:44

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
First Time		Linux linux Kernel Linux
CWE		CWE-476
References	~~() https://git.kernel.org/stable/c/0a21d259ca4d6310fdfcc0284ebbc000e66cbf70 -~~	() https://git.kernel.org/stable/c/0a21d259ca4d6310fdfcc0284ebbc000e66cbf70 - Patch
References	~~() https://git.kernel.org/stable/c/5d34a30efac9c9c93e150130caa940c0df6053c1 -~~	() https://git.kernel.org/stable/c/5d34a30efac9c9c93e150130caa940c0df6053c1 - Patch
References	~~() https://git.kernel.org/stable/c/6ee6bd5d4fce502a5b5a2ea805e9ff16e6aa890f -~~	() https://git.kernel.org/stable/c/6ee6bd5d4fce502a5b5a2ea805e9ff16e6aa890f - Patch
References	~~() https://git.kernel.org/stable/c/caa5c8a2358604f38bf0a4afaa5eacda13763067 -~~	() https://git.kernel.org/stable/c/caa5c8a2358604f38bf0a4afaa5eacda13763067 - Patch
CPE		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::

Information

Published : 2025-05-01 13:15

Updated : 2025-11-06 21:44

NVD link : CVE-2025-37759

Mitre link : CVE-2025-37759

CVE.ORG link : CVE-2025-37759

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

5.5 /10