CVE-2025-37759

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-37759
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37759.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-37759
Downstream
Published
2025-05-01T13:15:54Z
Modified
2025-05-05T17:00:20Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

ublk: fix handling recovery & reissue in ublkabortqueue()

Commit 8284066946e6 ("ublk: grab request reference when the request is handled by userspace") doesn't grab request reference in case of recovery reissue. Then the request can be requeued & re-dispatch & failed when canceling uring command.

If it is one zc request, the request can be freed before io_uring returns the zc buffer back, then cause kernel panic:

[ 126.773061] BUG: kernel NULL pointer dereference, address: 00000000000000c8 [ 126.773657] #PF: supervisor read access in kernel mode [ 126.774052] #PF: errorcode(0x0000) - not-present page [ 126.774455] PGD 0 P4D 0 [ 126.774698] Oops: Oops: 0000 [#1] SMP NOPTI [ 126.775034] CPU: 13 UID: 0 PID: 1612 Comm: kworker/u64:55 Not tainted 6.14.0blk+ #182 PREEMPT(full) [ 126.775676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 [ 126.776275] Workqueue: iouexit ioringexitwork [ 126.776651] RIP: 0010:ublkiorelease+0x14/0x130 [ublk_drv]

Fixes it by always grabbing request reference for aborting the request.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.25-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}