CVE-2025-38209Use After Free in Linux

CWE-416Use After FreeCWE-825Expired Pointer DereferenceCWE-203Observable Discrepancy6 documents6 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 77.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
LinuxLinux KernelDebian Linux+2 more
Timeline
PublishedJul 4

Description

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: remove tag set when second admin queue config fails Commit 104d0e2f6222 ("nvme-fabrics: reset admin connection for secure concatenation") modified nvme_tcp_setup_ctrl() to call nvme_tcp_configure_admin_queue() twice. The first call prepares for DH-CHAP negotitation, and the second call is required for secure concatenation. However, this change triggered BUG KASAN slab-use-after- free in blk_mq_queue_tag_busy_iter().

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

NVDlinux/linux_kernel6.156.15.4
CVEListV5linux/linux104d0e2f622233477ef7e57e59e8a4c3bb062c82db1da838b6012e4570c6f81e28ffe1d0ff595948+2
debiandebian/linux

Patches

Patch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

2
OSV
CVE-2025-38209: In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: remove tag set when second admin queue config fails Commit 104d0e2f62222025-07-04
GHSA
GHSA-w8w5-45x4-qwqp: In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: remove tag set when second admin queue config fails Commit 104d0e2f6222025-07-04

📋Vendor Advisories

3
Red Hat
kernel: nvme-tcp: remove tag set when second admin queue config fails2025-07-04
Debian
CVE-2025-38209: linux - In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: r...2025
Microsoft
net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. This is rel2021-08-10
CVE-2025-38209 — Use After Free in Linux | cvebase