CVE-2025-37828

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-37828
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37828.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-37828
Downstream
Related
Published
2025-05-08T06:26:20.135Z
Modified
2025-11-20T09:10:07.053046Z
Summary
scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort()
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: mcq: Add NULL check in ufshcdmcqabort()

A race can occur between the MCQ completion path and the abort handler: once a request completes, _blkmqfreerequest() sets rq->mqhctx to NULL, meaning the subsequent ufshcdmcqreqtohwq() call in ufshcdmcq_abort() can return a NULL pointer. If this NULL pointer is dereferenced, the kernel will crash.

Add a NULL check for the returned hwq pointer. If hwq is NULL, log an error and return FAILED, preventing a potential NULL-pointer dereference. As suggested by Bart, the ufshcdcmdinflight() check is removed.

This is similar to the fix in commit 74736103fb41 ("scsi: ufs: core: Fix ufshcdabortone racing issue").

This is found by our static analysis tool KNighter.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f1304d4420777f82a1d844c606db3d9eca841765
Fixed
d6979fabe812a168d5053e5a41d5a2e9b8afd7bf
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f1304d4420777f82a1d844c606db3d9eca841765
Fixed
7d002f591486f5ef4bc02eb02025a53f931f0eb5
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f1304d4420777f82a1d844c606db3d9eca841765
Fixed
47eec518aef3814f64a5da43df81bdd74d8c0041
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f1304d4420777f82a1d844c606db3d9eca841765
Fixed
4c324085062919d4e21c69e5e78456dcec0052fe

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.2
v6.14.3
v6.14.4
v6.15-rc1
v6.4
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.8
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "id": "CVE-2025-37828-5e1e5021",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "52917314539432514543551495812386112312",
                "252867231482471798464453983428670396120",
                "310892467737572223574943905143014024592",
                "74346821640625466249006131627301065022",
                "194263443683805189027564711363178388960",
                "190324579061070589182453613241665954422",
                "165431515240329810282249176655887961174",
                "55740106221764876146589921339693630179",
                "147483861748942436620805941478135191751",
                "183504620441550780164706681524206578045",
                "336011019467125675990704923147384014776",
                "330180386925785116574672838534433296141",
                "36500812549381791891797550369040859751"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d6979fabe812a168d5053e5a41d5a2e9b8afd7bf",
        "target": {
            "file": "drivers/ufs/core/ufs-mcq.c"
        }
    },
    {
        "id": "CVE-2025-37828-e6a69868",
        "signature_version": "v1",
        "digest": {
            "length": 1040.0,
            "function_hash": "1984607463207664305946544976049652958"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d6979fabe812a168d5053e5a41d5a2e9b8afd7bf",
        "target": {
            "file": "drivers/ufs/core/ufs-mcq.c",
            "function": "ufshcd_mcq_abort"
        }
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.5.0
Fixed
6.6.89
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.26
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.14.5