CVE-2025-23154

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-23154
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23154.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-23154
Downstream
Related
Published
2025-05-01T12:55:40Z
Modified
2025-10-10T09:38:38.491985Z
Summary
io_uring/net: fix io_req_post_cqe abuse by send bundle
Details

In the Linux kernel, the following vulnerability has been resolved:

iouring/net: fix ioreqpostcqe abuse by send bundle

[ 114.987980][ T5313] WARNING: CPU: 6 PID: 5313 at iouring/iouring.c:872 ioreqpostcqe+0x12e/0x4f0 [ 114.991597][ T5313] RIP: 0010:ioreqpostcqe+0x12e/0x4f0 [ 115.001880][ T5313] Call Trace: [ 115.002222][ T5313] <TASK> [ 115.007813][ T5313] iosend+0x4fe/0x10f0 [ 115.009317][ T5313] ioissuesqe+0x1a6/0x1740 [ 115.012094][ T5313] iowqsubmitwork+0x38b/0xed0 [ 115.013223][ T5313] ioworkerhandlework+0x62a/0x1600 [ 115.013876][ T5313] iowq_worker+0x34f/0xdf0

As the comment states, ioreqpostcqe() should only be used by multishot requests, i.e. REQFAPOLLMULTISHOT, which bundled sends are not. Add a flag signifying whether a request wants to post multiple CQEs. Eventually REQFAPOLL_MULTISHOT should imply the new flag, but that's left out for simplicity.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a05d1f625c7aa681d8816bc0f10089289ad07aad
Fixed
b7c6d081c19a5e11bbd77bb97a62cff2b6b21cb5
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a05d1f625c7aa681d8816bc0f10089289ad07aad
Fixed
7888c9fc0b2d3636f2e821ed1ad3c6920fa8e378
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a05d1f625c7aa681d8816bc0f10089289ad07aad
Fixed
9aa804e6b9696998308095fb9d335046a71550f1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a05d1f625c7aa681d8816bc0f10089289ad07aad
Fixed
6889ae1b4df1579bcdffef023e2ea9a982565dff

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.10
v6.13.11
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.13.8
v6.13.9
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.2
v6.9
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.12.24
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.12
Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
6.14.3