CVE-2025-38074

vhost-scsi: protect vq->log_used with vq->mutex

Description

In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.

N/A
CVSS
Severity:
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c
https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427
https://git.kernel.org/stable/c/c0039e3afda29be469d29b3013d7f9bdee136834
https://git.kernel.org/stable/c/f591cf9fce724e5075cc67488c43c6e39e8cbe27

Frequently Asked Questions

What is the severity of CVE-2025-38074?
CVE-2025-38074 has not yet been assigned a CVSS score.
How to fix CVE-2025-38074?
To fix CVE-2025-38074, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-38074 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-38074 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-38074?
CVE-2025-38074 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.