CVE-2025-38658Use of Uninitialized Resource in Linux

CWE-908Use of Uninitialized Resource5 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 94.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedAug 22

Description

In the Linux kernel, the following vulnerability has been resolved: nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails Have nvmet_req_init() and req->execute() complete failed commands. Description of the problem: nvmet_req_init() calls __nvmet_req_complete() internally upon failure, e.g., unsupported opcode, which calls the "queue_response" callback, this results in nvmet_pci_epf_queue_response() being called, which will call nvmet_pci_epf_complete_iod() if data_len is

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

NVDlinux/linux_kernel6.146.16.1
CVEListV5linux/linux0faa0fe6f90ea59b10d1b0f15ce0eb0c18eff186a535c0b10060bc8c174a7964b0f98064ee0c4774+2
debiandebian/linux

Patches

Patch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

2
GHSA
GHSA-hw95-chc9-4w36: In the Linux kernel, the following vulnerability has been resolved: nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails Have nv2025-08-22
OSV
CVE-2025-38658: In the Linux kernel, the following vulnerability has been resolved: nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails Have nvme2025-08-22

📋Vendor Advisories

2
Red Hat
kernel: nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails2025-08-22
Debian
CVE-2025-38658: linux - In the Linux kernel, the following vulnerability has been resolved: nvmet: pci-...2025
CVE-2025-38658 — Use of Uninitialized Resource in Linux | cvebase