CVE-2025-37906
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-37906
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37906.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-37906
- Downstream
- Published
- 2025-05-20T15:21:39Z
- Modified
- 2025-10-18T00:49:09.416077Z
- Summary
- ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ublk: fix race between iouringcmdcompleteintask and ublkcancel_cmd
ublkcancelcmd() calls iouringcmddone() to complete uringcmd, but we may have scheduled task work via iouringcmdcompletein_task() for dispatching request, then kernel crash can be triggered.
Fix it by not trying to canceling the command if ublk block request is started.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced216c8f5ef0f209a3797292c487bdaa6991ab4b92Fixedfb2eb9ddf556f93fef45201e1f9d2b8674bcc975
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced216c8f5ef0f209a3797292c487bdaa6991ab4b92Fixedf40139fde5278d81af3227444fd6e76a76b9506d
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.2
v6.14.3
v6.14.4
v6.14.5
v6.6
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb2eb9ddf556f93fef45201e1f9d2b8674bcc975",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"id": "CVE-2025-37906-35a8aa9c",
"digest": {
"function_hash": "271752798979098057110832853081929286795",
"length": 173.0
},
"target": {
"function": "ublk_cancel_queue",
"file": "drivers/block/ublk_drv.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f40139fde5278d81af3227444fd6e76a76b9506d",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"id": "CVE-2025-37906-5b968ee2",
"digest": {
"function_hash": "271752798979098057110832853081929286795",
"length": 173.0
},
"target": {
"function": "ublk_cancel_queue",
"file": "drivers/block/ublk_drv.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb2eb9ddf556f93fef45201e1f9d2b8674bcc975",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"id": "CVE-2025-37906-6b40d0ca",
"digest": {
"function_hash": "99420117483499459982800634720064684969",
"length": 488.0
},
"target": {
"function": "ublk_uring_cmd_cancel_fn",
"file": "drivers/block/ublk_drv.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f40139fde5278d81af3227444fd6e76a76b9506d",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"id": "CVE-2025-37906-81a20db2",
"digest": {
"function_hash": "202566693720753283311417873753614733485",
"length": 412.0
},
"target": {
"function": "ublk_cancel_cmd",
"file": "drivers/block/ublk_drv.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f40139fde5278d81af3227444fd6e76a76b9506d",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"id": "CVE-2025-37906-9db320de",
"digest": {
"threshold": 0.9,
"line_hashes": [
"238074979561376754509184114713083253622",
"299430584920422110871009415457336572675",
"262013171335013838330392074901479290838",
"223640362437637073029921966495694844586",
"170591014063213562312682750150841354434",
"97874949143677751815404237452311889489",
"249570616844075144838083130783794126951",
"170597658805214252056589854763202648090",
"38272870081062737621039552498699990185",
"304065550424304292450995893808394194322",
"81424488014543167777853098434908359716",
"184539574355789190611655476802344186393",
"239627173164802805399638993806166428777",
"134788671443159717440326717804970783055",
"14994168104475584140053230074261866559",
"225182825162415865968295348532372229987",
"301282047082979069411600825196669395665",
"108872536646881757067153508196962705446",
"150355944771350339451451060055854722227",
"229496398094716794368239511550428398158",
"98530296325927787106517165853203383363",
"203599470134293337851489459918123587727",
"187180887370893976772047819448673203391"
]
},
"target": {
"file": "drivers/block/ublk_drv.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb2eb9ddf556f93fef45201e1f9d2b8674bcc975",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"id": "CVE-2025-37906-a6f53fd6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"238074979561376754509184114713083253622",
"299430584920422110871009415457336572675",
"262013171335013838330392074901479290838",
"223640362437637073029921966495694844586",
"170591014063213562312682750150841354434",
"97874949143677751815404237452311889489",
"249570616844075144838083130783794126951",
"170597658805214252056589854763202648090",
"38272870081062737621039552498699990185",
"304065550424304292450995893808394194322",
"81424488014543167777853098434908359716",
"184539574355789190611655476802344186393",
"239627173164802805399638993806166428777",
"134788671443159717440326717804970783055",
"14994168104475584140053230074261866559",
"225182825162415865968295348532372229987",
"301282047082979069411600825196669395665",
"108872536646881757067153508196962705446",
"150355944771350339451451060055854722227",
"229496398094716794368239511550428398158",
"98530296325927787106517165853203383363",
"203599470134293337851489459918123587727",
"187180887370893976772047819448673203391"
]
},
"target": {
"file": "drivers/block/ublk_drv.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f40139fde5278d81af3227444fd6e76a76b9506d",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"id": "CVE-2025-37906-bb3d15db",
"digest": {
"function_hash": "99420117483499459982800634720064684969",
"length": 488.0
},
"target": {
"function": "ublk_uring_cmd_cancel_fn",
"file": "drivers/block/ublk_drv.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb2eb9ddf556f93fef45201e1f9d2b8674bcc975",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"id": "CVE-2025-37906-caa00772",
"digest": {
"function_hash": "202566693720753283311417873753614733485",
"length": 412.0
},
"target": {
"function": "ublk_cancel_cmd",
"file": "drivers/block/ublk_drv.c"
}
}
]