CVE-2025-38174

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-38174

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38174.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-38174

Downstream

BELL-CVE-2025-38174

DEBIAN-CVE-2025-38174

DSA-5973-1

ECHO-ec67-bd00-a8aa

OESA-2025-2077

OESA-2025-2078

OESA-2025-2079

OESA-2025-2118

OESA-2025-2119

SUSE-SU-2025:02853-1

SUSE-SU-2025:02923-1

SUSE-SU-2025:02969-1

SUSE-SU-2025:03023-1

UBUNTU-CVE-2025-38174

USN-7724-1

USN-7769-1

USN-7769-2

USN-7769-3

USN-7770-1

USN-7774-1

USN-7774-2

USN-7774-3

USN-7774-4

USN-7775-1

USN-7775-2

USN-7775-3

USN-7776-1

USN-7789-1

Related

Published

2025-07-04T11:15:51Z

Modified

2025-08-12T21:01:17Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Do not double dequeue a configuration request

Some of our devices crash in tbcfgrequest_dequeue():

general protection fault, probably for non-canonical address 0xdead000000000122

CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tbcfgrequestdequeue+0x2d/0xa0 Call Trace: <TASK> ? tbcfgrequestdequeue+0x2d/0xa0 tbcfgrequestwork+0x33/0x80 workerthread+0x386/0x8f0 kthread+0xed/0x110 retfromfork+0x38/0x50 retfromfork_asm+0x1b/0x30

The circumstances are unclear, however, the theory is that tbcfgrequestwork() can be scheduled twice for a request: first time via frame.callback from ringwork() and second time from tbcfgrequest(). Both times kworkers will execute tbcfgrequestdequeue(), which results in double listdel() from the ctl->request_queue (the list poison deference hints at it: 0xdead000000000122).

Do not dequeue requests that don't have TBCFGREQUEST_ACTIVE bit set.

References

Affected packages