CVE-2025-37886 (GCVE-0-2025-37886)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:45 – Updated: 2025-05-26 05:23
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: pds_core: make wait_context part of q_info Make the wait_context a full part of the q_info struct rather than a stack variable that goes away after pdsc_adminq_post() is done so that the context is still available after the wait loop has given up. There was a case where a slow development firmware caused the adminq request to time out, but then later the FW finally finished the request and sent the interrupt. The handler tried to complete_all() the completion context that had been created on the stack in pdsc_adminq_post() but no longer existed. This caused bad pointer usage, kernel crashes, and much wailing and gnashing of teeth.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 01ba61b55b2041a39c54aefb3153c770dd59a0ef , < 1d7c4b2b0bbfb09b55b2dc0e2355d7936bf89381 (git)
Affected: 01ba61b55b2041a39c54aefb3153c770dd59a0ef , < 66d7702b42ffdf0dce4808626088268a4e905ca6 (git)
Affected: 01ba61b55b2041a39c54aefb3153c770dd59a0ef , < 520f012fe75fb8efc9f16a57ef929a7a2115d892 (git)
Affected: 01ba61b55b2041a39c54aefb3153c770dd59a0ef , < 3f77c3dfffc7063428b100c4945ca2a7a8680380 (git)
Create a notification for this product.
    Linux Linux Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.89 , ≤ 6.6.* (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/amd/pds_core/adminq.c",
            "drivers/net/ethernet/amd/pds_core/core.c",
            "drivers/net/ethernet/amd/pds_core/core.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1d7c4b2b0bbfb09b55b2dc0e2355d7936bf89381",
              "status": "affected",
              "version": "01ba61b55b2041a39c54aefb3153c770dd59a0ef",
              "versionType": "git"
            },
            {
              "lessThan": "66d7702b42ffdf0dce4808626088268a4e905ca6",
              "status": "affected",
              "version": "01ba61b55b2041a39c54aefb3153c770dd59a0ef",
              "versionType": "git"
            },
            {
              "lessThan": "520f012fe75fb8efc9f16a57ef929a7a2115d892",
              "status": "affected",
              "version": "01ba61b55b2041a39c54aefb3153c770dd59a0ef",
              "versionType": "git"
            },
            {
              "lessThan": "3f77c3dfffc7063428b100c4945ca2a7a8680380",
              "status": "affected",
              "version": "01ba61b55b2041a39c54aefb3153c770dd59a0ef",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/amd/pds_core/adminq.c",
            "drivers/net/ethernet/amd/pds_core/core.c",
            "drivers/net/ethernet/amd/pds_core/core.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: make wait_context part of q_info\n\nMake the wait_context a full part of the q_info struct rather\nthan a stack variable that goes away after pdsc_adminq_post()\nis done so that the context is still available after the wait\nloop has given up.\n\nThere was a case where a slow development firmware caused\nthe adminq request to time out, but then later the FW finally\nfinished the request and sent the interrupt.  The handler tried\nto complete_all() the completion context that had been created\non the stack in pdsc_adminq_post() but no longer existed.\nThis caused bad pointer usage, kernel crashes, and much wailing\nand gnashing of teeth."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:23:03.001Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1d7c4b2b0bbfb09b55b2dc0e2355d7936bf89381"
        },
        {
          "url": "https://git.kernel.org/stable/c/66d7702b42ffdf0dce4808626088268a4e905ca6"
        },
        {
          "url": "https://git.kernel.org/stable/c/520f012fe75fb8efc9f16a57ef929a7a2115d892"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f77c3dfffc7063428b100c4945ca2a7a8680380"
        }
      ],
      "title": "pds_core: make wait_context part of q_info",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37886",
    "datePublished": "2025-05-09T06:45:48.810Z",
    "dateReserved": "2025-04-16T04:51:23.963Z",
    "dateUpdated": "2025-05-26T05:23:03.001Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-37886\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-09T07:16:09.973\",\"lastModified\":\"2025-11-12T19:36:38.217\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\npds_core: make wait_context part of q_info\\n\\nMake the wait_context a full part of the q_info struct rather\\nthan a stack variable that goes away after pdsc_adminq_post()\\nis done so that the context is still available after the wait\\nloop has given up.\\n\\nThere was a case where a slow development firmware caused\\nthe adminq request to time out, but then later the FW finally\\nfinished the request and sent the interrupt.  The handler tried\\nto complete_all() the completion context that had been created\\non the stack in pdsc_adminq_post() but no longer existed.\\nThis caused bad pointer usage, kernel crashes, and much wailing\\nand gnashing of teeth.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: pds_core: hacer que wait_context forme parte de q_info Hacer que wait_context sea una parte completa de la estructura q_info en lugar de una variable de pila que desaparezca despu\u00e9s de que pdsc_adminq_post() se complete para que el contexto siga disponible despu\u00e9s de que el bucle de espera se haya dado por vencido. Hubo un caso en el que un firmware de desarrollo lento provoc\u00f3 que la solicitud adminq expirara, pero luego el FW finalmente termin\u00f3 la solicitud y envi\u00f3 la interrupci\u00f3n. El controlador intent\u00f3 completar_todo() el contexto de finalizaci\u00f3n que se hab\u00eda creado en la pila en pdsc_adminq_post() pero ya no exist\u00eda. Esto caus\u00f3 un mal uso del puntero, fallos del kernel y muchos lamentos y crujir de dientes.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.4\",\"versionEndExcluding\":\"6.6.89\",\"matchCriteriaId\":\"68140DF8-D867-4147-A1CD-E3630C9CE7A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.26\",\"matchCriteriaId\":\"22F52099-F422-4D19-8283-45F9F9BF4392\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.14.5\",\"matchCriteriaId\":\"6B25CA7E-4CD0-46DB-B4EF-13A3516071FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D465631-2980-487A-8E65-40AE2B9F8ED1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4C9D071F-B28E-46EC-AC61-22B913390211\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"13FC0DDE-E513-465E-9E81-515702D49B74\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1d7c4b2b0bbfb09b55b2dc0e2355d7936bf89381\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3f77c3dfffc7063428b100c4945ca2a7a8680380\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/520f012fe75fb8efc9f16a57ef929a7a2115d892\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/66d7702b42ffdf0dce4808626088268a4e905ca6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.