CVE-2025-37828

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-37828
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37828.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-37828
Downstream
Related
Published
2025-05-08T07:15:54Z
Modified
2025-05-13T10:00:03Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: mcq: Add NULL check in ufshcdmcqabort()

A race can occur between the MCQ completion path and the abort handler: once a request completes, _blkmqfreerequest() sets rq->mqhctx to NULL, meaning the subsequent ufshcdmcqreqtohwq() call in ufshcdmcq_abort() can return a NULL pointer. If this NULL pointer is dereferenced, the kernel will crash.

Add a NULL check for the returned hwq pointer. If hwq is NULL, log an error and return FAILED, preventing a potential NULL-pointer dereference. As suggested by Bart, the ufshcdcmdinflight() check is removed.

This is similar to the fix in commit 74736103fb41 ("scsi: ufs: core: Fix ufshcdabortone racing issue").

This is found by our static analysis tool KNighter.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.27-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}