CVE-2025-38405

25.07.2025, 14:15

In the Linux kernel, the following vulnerability has been resolved:

nvmet: fix memory leak of bio integrity

If nvmet receives commands with metadata there is a continuous memory
leak of kmalloc-128 slab or more precisely bio->bi_integrity.

Since commit bf4c89fc8797 ("block: don't call bio_uninit from bio_endio")
each user of bio_init has to use bio_uninit as well. Otherwise the bio
integrity is not getting free. Nvmet uses bio_init for inline bios.

Uninit the inline bio to complete deallocation of integrity in bio.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bookworm	6.1.137-1 not-affected
bullseye (security)	5.10.237-1 fixed
bookworm (security)	6.1.140-1 fixed
trixie	6.12.38-1 fixed
sid	6.12.38-1 fixed
trixie (security)	vulnerable

References

https://git.kernel.org/stable/c/190f4c2c863af7cc5bb354b70e0805f06419c038

https://git.kernel.org/stable/c/2e2028fcf924d1c6df017033c8d6e28b735a0508

https://git.kernel.org/stable/c/431e58d56fcb5ff1f9eb630724a922e0d2a941df