{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-23151","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-01-11T14:28:41.513Z","datePublished":"2025-05-01T12:55:38.833Z","dateUpdated":"2026-05-11T21:13:56.483Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:13:56.483Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Fix race between unprepare and queue_buf\n\nA client driver may use mhi_unprepare_from_transfer() to quiesce\nincoming data during the client driver's tear down. The client driver\nmight also be processing data at the same time, resulting in a call to\nmhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs\nafter mhi_unprepare_from_transfer() has torn down the channel, a panic\nwill occur due to an invalid dereference leading to a page fault.\n\nThis occurs because mhi_gen_tre() does not verify the channel state\nafter locking it. Fix this by having mhi_gen_tre() confirm the channel\nstate is valid, or return error to avoid accessing deinitialized data.\n\n[mani: added stable tag]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/bus/mhi/host/main.c"],"versions":[{"version":"176ed1727badd2fad2158e2b214dcbc24f4be7a1","lessThan":"899d0353ea69681f474b6bc9de32c663b89672da","status":"affected","versionType":"git"},{"version":"0b093176fd0967a5f56e2c86b0d48247f6c0fa0f","lessThan":"3e7ecf181cbdde9753204ada3883ca1704d8702b","status":"affected","versionType":"git"},{"version":"ce16274a6b8d1483d0d8383272deb2bfd1b577ca","lessThan":"5f084993c90d9d0b4a52a349ede5120f992a7ca1","status":"affected","versionType":"git"},{"version":"b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9","lessThan":"a77955f7704b2a00385e232cbcc1cb06b5c7a425","status":"affected","versionType":"git"},{"version":"b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9","lessThan":"178e5657c8fd285125cc6743a81b513bce099760","status":"affected","versionType":"git"},{"version":"b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9","lessThan":"ee1fce83ed56450087309b9b74ad9bcb2b010fa6","status":"affected","versionType":"git"},{"version":"b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9","lessThan":"0686a818d77a431fc3ba2fab4b46bbb04e8c9380","status":"affected","versionType":"git"},{"version":"642adb03541673f3897f64bbb62856ffd73807f5","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/bus/mhi/host/main.c"],"versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","status":"unaffected","versionType":"semver"},{"version":"5.15.181","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.135","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.88","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.24","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.12","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14.3","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.149","versionEndExcluding":"5.15.181"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.76","versionEndExcluding":"6.1.135"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.15","versionEndExcluding":"6.6.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.12.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.13.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.14.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/899d0353ea69681f474b6bc9de32c663b89672da"},{"url":"https://git.kernel.org/stable/c/3e7ecf181cbdde9753204ada3883ca1704d8702b"},{"url":"https://git.kernel.org/stable/c/5f084993c90d9d0b4a52a349ede5120f992a7ca1"},{"url":"https://git.kernel.org/stable/c/a77955f7704b2a00385e232cbcc1cb06b5c7a425"},{"url":"https://git.kernel.org/stable/c/178e5657c8fd285125cc6743a81b513bce099760"},{"url":"https://git.kernel.org/stable/c/ee1fce83ed56450087309b9b74ad9bcb2b010fa6"},{"url":"https://git.kernel.org/stable/c/0686a818d77a431fc3ba2fab4b46bbb04e8c9380"}],"title":"bus: mhi: host: Fix race between unprepare and queue_buf","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:42:48.368Z"}}]}}