{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38074","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.980Z","datePublished":"2025-06-18T09:33:50.006Z","dateUpdated":"2026-05-11T21:20:44.870Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:20:44.870Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-scsi: protect vq->log_used with vq->mutex\n\nThe vhost-scsi completion path may access vq->log_base when vq->log_used is\nalready set to false.\n\n    vhost-thread                       QEMU-thread\n\nvhost_scsi_complete_cmd_work()\n-> vhost_add_used()\n   -> vhost_add_used_n()\n      if (unlikely(vq->log_used))\n                                      QEMU disables vq->log_used\n                                      via VHOST_SET_VRING_ADDR.\n                                      mutex_lock(&vq->mutex);\n                                      vq->log_used = false now!\n                                      mutex_unlock(&vq->mutex);\n\n\t\t\t\t      QEMU gfree(vq->log_base)\n        log_used()\n        -> log_write(vq->log_base)\n\nAssuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be\nreclaimed via gfree(). As a result, this causes invalid memory writes to\nQEMU userspace.\n\nThe control queue path has the same issue."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/vhost/scsi.c"],"versions":[{"version":"057cbf49a1f08297877e46c82f707b1bfea806a8","lessThan":"80cf68489681c165ded460930e391b1eb37b5f6f","status":"affected","versionType":"git"},{"version":"057cbf49a1f08297877e46c82f707b1bfea806a8","lessThan":"8312a1ccff1566f375191a89b9ba71b6eb48a8cd","status":"affected","versionType":"git"},{"version":"057cbf49a1f08297877e46c82f707b1bfea806a8","lessThan":"59614c5acf6688f7af3c245d359082c0e9e53117","status":"affected","versionType":"git"},{"version":"057cbf49a1f08297877e46c82f707b1bfea806a8","lessThan":"ca85c2d0db5f8309832be45858b960d933c2131c","status":"affected","versionType":"git"},{"version":"057cbf49a1f08297877e46c82f707b1bfea806a8","lessThan":"bd8c9404e44adb9f6219c09b3409a61ab7ce3427","status":"affected","versionType":"git"},{"version":"057cbf49a1f08297877e46c82f707b1bfea806a8","lessThan":"c0039e3afda29be469d29b3013d7f9bdee136834","status":"affected","versionType":"git"},{"version":"057cbf49a1f08297877e46c82f707b1bfea806a8","lessThan":"f591cf9fce724e5075cc67488c43c6e39e8cbe27","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/vhost/scsi.c"],"versions":[{"version":"3.6","status":"affected"},{"version":"0","lessThan":"3.6","status":"unaffected","versionType":"semver"},{"version":"5.10.240","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.189","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.146","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.93","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.31","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.14.9","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"5.10.240"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"5.15.189"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"6.1.146"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"6.6.93"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"6.12.31"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"6.14.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6","versionEndExcluding":"6.15"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/80cf68489681c165ded460930e391b1eb37b5f6f"},{"url":"https://git.kernel.org/stable/c/8312a1ccff1566f375191a89b9ba71b6eb48a8cd"},{"url":"https://git.kernel.org/stable/c/59614c5acf6688f7af3c245d359082c0e9e53117"},{"url":"https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c"},{"url":"https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427"},{"url":"https://git.kernel.org/stable/c/c0039e3afda29be469d29b3013d7f9bdee136834"},{"url":"https://git.kernel.org/stable/c/f591cf9fce724e5075cc67488c43c6e39e8cbe27"}],"title":"vhost-scsi: protect vq->log_used with vq->mutex","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:33:42.169Z"}}]}}