CVE-2025-21837

07.03.2025, 09:15

In the Linux kernel, the following vulnerability has been resolved:

io_uring/uring_cmd: unconditionally copy SQEs at prep time

This isn't generally necessary, but conditions have been observed where
SQE data is accessed from the original SQE after prep has been done and
outside of the initial issue. Opcode prep handlers must ensure that any
SQE related data is stable beyond the prep phase, but uring_cmd is a bit
special in how it handles the SQE which makes it susceptible to reading
stale data. If the application has reused the SQE before the original
completes, then that can lead to data corruption.

Down the line we can relax this again once uring_cmd has been sanitized
a bit, and avoid unnecessarily copying the SQE.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bookworm	6.1.129-1 not-affected
bullseye (security)	5.10.234-1 fixed
bookworm (security)	6.1.128-1 fixed
trixie	vulnerable
sid	vulnerable

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht spezifizierte Auswirkungen zu erzeugen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2025-03-06T23:00:00+00:00

References

https://git.kernel.org/stable/c/87fe1d68842a308998b315c8ed0163a1d639017c

https://git.kernel.org/stable/c/d6211ebbdaa541af197b50b8dd8f22642ce0b87f