CVE-2025-38074 (GCVE-0-2025-38074)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-11-03 17:33
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 80cf68489681c165ded460930e391b1eb37b5f6f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8312a1ccff1566f375191a89b9ba71b6eb48a8cd (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 59614c5acf6688f7af3c245d359082c0e9e53117 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ca85c2d0db5f8309832be45858b960d933c2131c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bd8c9404e44adb9f6219c09b3409a61ab7ce3427 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c0039e3afda29be469d29b3013d7f9bdee136834 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f591cf9fce724e5075cc67488c43c6e39e8cbe27 (git)
Create a notification for this product.
    Linux Linux Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.189 , ≤ 5.15.* (semver)
Unaffected: 6.1.146 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:42.169Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/vhost/scsi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "80cf68489681c165ded460930e391b1eb37b5f6f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8312a1ccff1566f375191a89b9ba71b6eb48a8cd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "59614c5acf6688f7af3c245d359082c0e9e53117",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ca85c2d0db5f8309832be45858b960d933c2131c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bd8c9404e44adb9f6219c09b3409a61ab7ce3427",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c0039e3afda29be469d29b3013d7f9bdee136834",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f591cf9fce724e5075cc67488c43c6e39e8cbe27",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/vhost/scsi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.189",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.146",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-scsi: protect vq-\u003elog_used with vq-\u003emutex\n\nThe vhost-scsi completion path may access vq-\u003elog_base when vq-\u003elog_used is\nalready set to false.\n\n    vhost-thread                       QEMU-thread\n\nvhost_scsi_complete_cmd_work()\n-\u003e vhost_add_used()\n   -\u003e vhost_add_used_n()\n      if (unlikely(vq-\u003elog_used))\n                                      QEMU disables vq-\u003elog_used\n                                      via VHOST_SET_VRING_ADDR.\n                                      mutex_lock(\u0026vq-\u003emutex);\n                                      vq-\u003elog_used = false now!\n                                      mutex_unlock(\u0026vq-\u003emutex);\n\n\t\t\t\t      QEMU gfree(vq-\u003elog_base)\n        log_used()\n        -\u003e log_write(vq-\u003elog_base)\n\nAssuming the VMM is QEMU. The vq-\u003elog_base is from QEMU userpace and can be\nreclaimed via gfree(). As a result, this causes invalid memory writes to\nQEMU userspace.\n\nThe control queue path has the same issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-17T16:55:34.504Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/80cf68489681c165ded460930e391b1eb37b5f6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8312a1ccff1566f375191a89b9ba71b6eb48a8cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/59614c5acf6688f7af3c245d359082c0e9e53117"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0039e3afda29be469d29b3013d7f9bdee136834"
        },
        {
          "url": "https://git.kernel.org/stable/c/f591cf9fce724e5075cc67488c43c6e39e8cbe27"
        }
      ],
      "title": "vhost-scsi: protect vq-\u003elog_used with vq-\u003emutex",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38074",
    "datePublished": "2025-06-18T09:33:50.006Z",
    "dateReserved": "2025-04-16T04:51:23.980Z",
    "dateUpdated": "2025-11-03T17:33:42.169Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38074\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T10:15:40.850\",\"lastModified\":\"2025-11-03T18:16:01.060\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvhost-scsi: protect vq-\u003elog_used with vq-\u003emutex\\n\\nThe vhost-scsi completion path may access vq-\u003elog_base when vq-\u003elog_used is\\nalready set to false.\\n\\n    vhost-thread                       QEMU-thread\\n\\nvhost_scsi_complete_cmd_work()\\n-\u003e vhost_add_used()\\n   -\u003e vhost_add_used_n()\\n      if (unlikely(vq-\u003elog_used))\\n                                      QEMU disables vq-\u003elog_used\\n                                      via VHOST_SET_VRING_ADDR.\\n                                      mutex_lock(\u0026vq-\u003emutex);\\n                                      vq-\u003elog_used = false now!\\n                                      mutex_unlock(\u0026vq-\u003emutex);\\n\\n\\t\\t\\t\\t      QEMU gfree(vq-\u003elog_base)\\n        log_used()\\n        -\u003e log_write(vq-\u003elog_base)\\n\\nAssuming the VMM is QEMU. The vq-\u003elog_base is from QEMU userpace and can be\\nreclaimed via gfree(). As a result, this causes invalid memory writes to\\nQEMU userspace.\\n\\nThe control queue path has the same issue.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vhost-scsi: proteger vq-\u0026gt;log_used con vq-\u0026gt;mutex La ruta de finalizaci\u00f3n de vhost-scsi puede acceder a vq-\u0026gt;log_base cuando vq-\u0026gt;log_used ya est\u00e1 configurado como falso. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -\u0026gt; vhost_add_used() -\u0026gt; vhost_add_used_n() if (unlikely(vq-\u0026gt;log_used)) QEMU deshabilita vq-\u0026gt;log_used mediante VHOST_SET_VRING_ADDR. mutex_lock(\u0026amp;vq-\u0026gt;mutex); vq-\u0026gt;log_used = false now! mutex_unlock(\u0026amp;vq-\u0026gt;mutex); QEMU gfree(vq-\u0026gt;log_base) log_used() -\u0026gt; log_write(vq-\u0026gt;log_base) Suponiendo que el VMM es QEMU. La ruta vq-\u0026gt;log_base proviene del espacio de usuario de QEMU y se puede recuperar mediante gfree(). Como resultado, esto provoca escrituras de memoria no v\u00e1lidas en el espacio de usuario de QEMU. La ruta de la cola de control presenta el mismo problema.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/59614c5acf6688f7af3c245d359082c0e9e53117\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/80cf68489681c165ded460930e391b1eb37b5f6f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8312a1ccff1566f375191a89b9ba71b6eb48a8cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c0039e3afda29be469d29b3013d7f9bdee136834\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f591cf9fce724e5075cc67488c43c6e39e8cbe27\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.