CVE-2025-38074
Published: Jun 18, 2025
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 057cbf49a1f08297877e46c82f707b1bfea806a8 - < 80cf68489681c165ded460930e391b1eb37b5f6faffected 057cbf49a1f08297877e46c82f707b1bfea806a8 - < 8312a1ccff1566f375191a89b9ba71b6eb48a8cdaffected 057cbf49a1f08297877e46c82f707b1bfea806a8 - < 59614c5acf6688f7af3c245d359082c0e9e53117affected 057cbf49a1f08297877e46c82f707b1bfea806a8 - < ca85c2d0db5f8309832be45858b960d933c2131caffected 057cbf49a1f08297877e46c82f707b1bfea806a8 - < bd8c9404e44adb9f6219c09b3409a61ab7ce3427+2 more versions |
Linux | Linux | affected 3.6unaffected 0 - < 3.6unaffected 5.10.240 - <= 5.10.*unaffected 5.15.189 - <= 5.15.*unaffected 6.1.146 - <= 6.1.*+4 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now