CVE-2025-38594

EPSS 0.03%
Veröffentlicht 19.08.2025 17:15:37
Zuletzt bearbeitet 20.08.2025 14:40:17
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
Teams Watchlist Login
Unerledigt Login

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Fix UAF on sva unbind with pending IOPFs

Commit 17fce9d2336d ("iommu/vt-d: Put iopf enablement in domain attach
path") disables IOPF on device by removing the device from its IOMMU's
IOPF queue when the last IOPF-capable domain is detached from the device.
Unfortunately, it did this in a wrong place where there are still pending
IOPFs. As a result, a use-after-free error is potentially triggered and
eventually a kernel panic with a kernel trace similar to the following:

 refcount_t: underflow; use-after-free.
 WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0
 Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf
 Call Trace:
   <TASK>
   iopf_free_group+0xe/0x20
   process_one_work+0x197/0x3d0
   worker_thread+0x23a/0x350
   ? rescuer_thread+0x4a0/0x4a0
   kthread+0xf8/0x230
   ? finish_task_switch.isra.0+0x81/0x260
   ? kthreads_online_cpu+0x110/0x110
   ? kthreads_online_cpu+0x110/0x110
   ret_from_fork+0x13b/0x170
   ? kthreads_online_cpu+0x110/0x110
   ret_from_fork_asm+0x11/0x20
   </TASK>
  ---[ end trace 0000000000000000 ]---

The intel_pasid_tear_down_entry() function is responsible for blocking
hardware from generating new page faults and flushing all in-flight
ones. Therefore, moving iopf_for_domain_remove() after this function
should resolve this.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < c68332b7ee893292bba6e87d31ef2080c066c65d

Version 17fce9d2336d952b95474248303e5e7d9777f2e0

Status affected

Version < f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2

Version 17fce9d2336d952b95474248303e5e7d9777f2e0

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.16

Status affected

Version < 6.16

Version 0

Status unaffected

Version <= 6.16.*

Version 6.16.1

Status unaffected

Version <= *

Version 6.17-rc1

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.058

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

https://git.kernel.org/stable/c/c68332b7ee893292bba6e87d31ef2080c066c65d

https://git.kernel.org/stable/c/f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2

https://nvd.nist.gov/vuln/detail/CVE-2025-38594

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-38594

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-38594

EUVD