CVE-2025-38074

MEDIUM EPSS 5.7%
Published Jun 18, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jun 18, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
5.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel* <5.10.240
linuxlinux_kernel*≥5.11  –  <5.15.189
linuxlinux_kernel*≥5.16  –  <6.1.146
linuxlinux_kernel*≥6.2  –  <6.6.93
linuxlinux_kernel*≥6.7  –  <6.12.31
linuxlinux_kernel*≥6.13  –  <6.14.9
linuxlinux_kernel6.15any
linuxlinux_kernel6.15any
linuxlinux_kernel6.15any
debiandebian_linux11.0any

References 9

  • git.kernel.org https://git.kernel.org/stable/c/59614c5acf6688f7af3c245d359082c0e9e53117
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/80cf68489681c165ded460930e391b1eb37b5f6f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8312a1ccff1566f375191a89b9ba71b6eb48a8cd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c0039e3afda29be469d29b3013d7f9bdee136834
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f591cf9fce724e5075cc67488c43c6e39e8cbe27
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
    Third Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
    Third Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/59614c5acf6688f7af3c245d359082c0e9e53117
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/80cf68489681c165ded460930e391b1eb37b5f6f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8312a1ccff1566f375191a89b9ba71b6eb48a8cd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c0039e3afda29be469d29b3013d7f9bdee136834
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f591cf9fce724e5075cc67488c43c6e39e8cbe27
    Patch