CVE-2025-23154

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-23154
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23154.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-23154
Downstream
Related
Published
2025-05-01T12:55:40.923Z
Modified
2025-12-02T09:15:25.854274Z
Summary
io_uring/net: fix io_req_post_cqe abuse by send bundle
Details

In the Linux kernel, the following vulnerability has been resolved:

iouring/net: fix ioreqpostcqe abuse by send bundle

[ 114.987980][ T5313] WARNING: CPU: 6 PID: 5313 at iouring/iouring.c:872 ioreqpostcqe+0x12e/0x4f0 [ 114.991597][ T5313] RIP: 0010:ioreqpostcqe+0x12e/0x4f0 [ 115.001880][ T5313] Call Trace: [ 115.002222][ T5313] <TASK> [ 115.007813][ T5313] iosend+0x4fe/0x10f0 [ 115.009317][ T5313] ioissuesqe+0x1a6/0x1740 [ 115.012094][ T5313] iowqsubmitwork+0x38b/0xed0 [ 115.013223][ T5313] ioworkerhandlework+0x62a/0x1600 [ 115.013876][ T5313] iowq_worker+0x34f/0xdf0

As the comment states, ioreqpostcqe() should only be used by multishot requests, i.e. REQFAPOLLMULTISHOT, which bundled sends are not. Add a flag signifying whether a request wants to post multiple CQEs. Eventually REQFAPOLL_MULTISHOT should imply the new flag, but that's left out for simplicity.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/23xxx/CVE-2025-23154.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a05d1f625c7aa681d8816bc0f10089289ad07aad
Fixed
b7c6d081c19a5e11bbd77bb97a62cff2b6b21cb5
Fixed
7888c9fc0b2d3636f2e821ed1ad3c6920fa8e378
Fixed
9aa804e6b9696998308095fb9d335046a71550f1
Fixed
6889ae1b4df1579bcdffef023e2ea9a982565dff

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.10
v6.13.11
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.13.8
v6.13.9
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.2
v6.9
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23154.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.12.24
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.12
Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
6.14.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23154.json"