CVE-2025-38658
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-22

Last updated on: 2025-11-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails Have nvmet_req_init() and req->execute() complete failed commands. Description of the problem: nvmet_req_init() calls __nvmet_req_complete() internally upon failure, e.g., unsupported opcode, which calls the "queue_response" callback, this results in nvmet_pci_epf_queue_response() being called, which will call nvmet_pci_epf_complete_iod() if data_len is 0 or if dma_dir is different from DMA_TO_DEVICE. This results in a double completion as nvmet_pci_epf_exec_iod_work() also calls nvmet_pci_epf_complete_iod() when nvmet_req_init() fails. Steps to reproduce: On the host send a command with an unsupported opcode with nvme-cli, For example the admin command "security receive" $ sudo nvme security-recv /dev/nvme0n1 -n1 -x4096 This triggers a double completion as nvmet_req_init() fails and nvmet_pci_epf_queue_response() is called, here iod->dma_dir is still in the default state of "DMA_NONE" as set by default in nvmet_pci_epf_alloc_iod(), so nvmet_pci_epf_complete_iod() is called. Because nvmet_req_init() failed nvmet_pci_epf_complete_iod() is also called in nvmet_pci_epf_exec_iod_work() leading to a double completion. This not only sends two completions to the host but also corrupts the state of the PCI NVMe target leading to kernel oops. This patch lets nvmet_req_init() and req->execute() complete all failed commands, and removes the double completion case in nvmet_pci_epf_exec_iod_work() therefore fixing the edge cases where double completions occurred.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-22
Last Modified
2025-11-26
Generated
2026-05-27
AI Q&A
2025-08-22
EPSS Evaluated
2026-05-25
NVD
CVE-2025-38658
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's nvmet PCI endpoint function where commands can be completed twice if the function nvmet_req_init() fails. Specifically, when nvmet_req_init() fails (for example, due to an unsupported opcode), it internally calls a completion function that leads to nvmet_pci_epf_complete_iod() being called twice. This double completion sends two responses to the host and corrupts the PCI NVMe target's state, potentially causing a kernel oops (crash). The issue arises because both nvmet_req_init() and another function, nvmet_pci_epf_exec_iod_work(), attempt to complete the failed command independently, leading to this duplication.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash (kernel oops) due to corruption of the PCI NVMe target's internal state. This can lead to system instability or denial of service when handling NVMe commands with unsupported opcodes, potentially disrupting normal operations on systems using the affected kernel component.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending a command with an unsupported opcode to the NVMe device and observing if it triggers a double completion and kernel oops. For example, using the nvme-cli tool, you can run the command: sudo nvme security-recv /dev/nvme0n1 -n1 -x4096. If this causes kernel errors or double completions, the system may be vulnerable.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves applying the patch that fixes the double completion issue by ensuring nvmet_req_init() and req->execute() complete all failed commands properly and removing the double completion case in nvmet_pci_epf_exec_iod_work(). Until the patch is applied, avoid sending unsupported opcodes that trigger the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart