CVE-2025-37906

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-37906
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37906.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-37906
Downstream
Published
2025-05-20T15:21:39.633Z
Modified
2025-11-20T08:39:35.346577Z
Summary
ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd
Details

In the Linux kernel, the following vulnerability has been resolved:

ublk: fix race between iouringcmdcompleteintask and ublkcancel_cmd

ublkcancelcmd() calls iouringcmddone() to complete uringcmd, but we may have scheduled task work via iouringcmdcompletein_task() for dispatching request, then kernel crash can be triggered.

Fix it by not trying to canceling the command if ublk block request is started.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
216c8f5ef0f209a3797292c487bdaa6991ab4b92
Fixed
fb2eb9ddf556f93fef45201e1f9d2b8674bcc975
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
216c8f5ef0f209a3797292c487bdaa6991ab4b92
Fixed
f40139fde5278d81af3227444fd6e76a76b9506d

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.2
v6.14.3
v6.14.4
v6.14.5
v6.6
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f40139fde5278d81af3227444fd6e76a76b9506d",
        "digest": {
            "length": 173.0,
            "function_hash": "271752798979098057110832853081929286795"
        },
        "id": "CVE-2025-37906-5b968ee2",
        "deprecated": false,
        "target": {
            "file": "drivers/block/ublk_drv.c",
            "function": "ublk_cancel_queue"
        },
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f40139fde5278d81af3227444fd6e76a76b9506d",
        "digest": {
            "length": 412.0,
            "function_hash": "202566693720753283311417873753614733485"
        },
        "id": "CVE-2025-37906-81a20db2",
        "deprecated": false,
        "target": {
            "file": "drivers/block/ublk_drv.c",
            "function": "ublk_cancel_cmd"
        },
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f40139fde5278d81af3227444fd6e76a76b9506d",
        "digest": {
            "line_hashes": [
                "238074979561376754509184114713083253622",
                "299430584920422110871009415457336572675",
                "262013171335013838330392074901479290838",
                "223640362437637073029921966495694844586",
                "170591014063213562312682750150841354434",
                "97874949143677751815404237452311889489",
                "249570616844075144838083130783794126951",
                "170597658805214252056589854763202648090",
                "38272870081062737621039552498699990185",
                "304065550424304292450995893808394194322",
                "81424488014543167777853098434908359716",
                "184539574355789190611655476802344186393",
                "239627173164802805399638993806166428777",
                "134788671443159717440326717804970783055",
                "14994168104475584140053230074261866559",
                "225182825162415865968295348532372229987",
                "301282047082979069411600825196669395665",
                "108872536646881757067153508196962705446",
                "150355944771350339451451060055854722227",
                "229496398094716794368239511550428398158",
                "98530296325927787106517165853203383363",
                "203599470134293337851489459918123587727",
                "187180887370893976772047819448673203391"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-37906-9db320de",
        "deprecated": false,
        "target": {
            "file": "drivers/block/ublk_drv.c"
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f40139fde5278d81af3227444fd6e76a76b9506d",
        "digest": {
            "length": 488.0,
            "function_hash": "99420117483499459982800634720064684969"
        },
        "id": "CVE-2025-37906-bb3d15db",
        "deprecated": false,
        "target": {
            "file": "drivers/block/ublk_drv.c",
            "function": "ublk_uring_cmd_cancel_fn"
        },
        "signature_type": "Function",
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.14.6