CVE-2025-38074 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.

Reserved 2025-04-16 | Published 2025-06-18 | Updated 2025-07-17 | Assigner Linux

Product status

Default status

unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 80cf68489681c165ded460930e391b1eb37b5f6f

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 8312a1ccff1566f375191a89b9ba71b6eb48a8cd

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 59614c5acf6688f7af3c245d359082c0e9e53117

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before ca85c2d0db5f8309832be45858b960d933c2131c

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before bd8c9404e44adb9f6219c09b3409a61ab7ce3427

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before c0039e3afda29be469d29b3013d7f9bdee136834

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before f591cf9fce724e5075cc67488c43c6e39e8cbe27

affected

Default status

affected

5.10.240

unaffected

5.15.189

unaffected

6.1.146

unaffected

6.6.93

unaffected

6.12.31

unaffected

6.14.9

unaffected

6.15

unaffected

References

git.kernel.org/...c/80cf68489681c165ded460930e391b1eb37b5f6f

git.kernel.org/...c/8312a1ccff1566f375191a89b9ba71b6eb48a8cd

git.kernel.org/...c/59614c5acf6688f7af3c245d359082c0e9e53117

git.kernel.org/...c/ca85c2d0db5f8309832be45858b960d933c2131c

git.kernel.org/...c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427

git.kernel.org/...c/c0039e3afda29be469d29b3013d7f9bdee136834

git.kernel.org/...c/f591cf9fce724e5075cc67488c43c6e39e8cbe27

cve.org (CVE-2025-38074)

nvd.nist.gov (CVE-2025-38074)

Download JSON