CVE-2025-38405

In the Linux kernel, the following vulnerability has been resolved: nvmet: fix memory leak of bio integrity If nvmet receives commands with metadata there is a continuous memory leak of kmalloc-128 slab or more precisely bio->bi_integrity. Since commit bf4c89fc8797 ("block: don't call bio_uninit from bio_endio") each user of bio_init has to use bio_uninit as well. Otherwise the bio integrity is not getting free. Nvmet uses bio_init for inline bios. Uninit the inline bio to complete deallocation of integrity in bio.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/190f4c2c863af7cc5bb354b70e0805f06419c038	Patch
https://git.kernel.org/stable/c/2e2028fcf924d1c6df017033c8d6e28b735a0508	Patch
https://git.kernel.org/stable/c/431e58d56fcb5ff1f9eb630724a922e0d2a941df	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.16:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.16:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.16:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.16:rc4::::::

History

19 Nov 2025, 18:18

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nvmet: se corrige una fuga de memoria de la integridad de la bio. Si nvmet recibe comandos con metadatos, se produce una fuga de memoria continua de la slab kmalloc-128 o, más precisamente, bio->bi_integrity. Desde el commit bf4c89fc8797 ("bloqueo: no llamar a bio_uninit desde bio_endio"), cada usuario de bio_init debe usar también bio_uninit. De lo contrario, la integridad de la bio no se libera. nvmet usa bio_init para la bios en línea. Desinicie la bios en línea para completar la desasignación de la integridad en la bio.
First Time		Linux Linux linux Kernel
CPE		cpe:2.3:o:linux:linux_kernel:6.16:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.16:rc3:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.16:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.16:rc4::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
References	~~() https://git.kernel.org/stable/c/190f4c2c863af7cc5bb354b70e0805f06419c038 -~~	() https://git.kernel.org/stable/c/190f4c2c863af7cc5bb354b70e0805f06419c038 - Patch
References	~~() https://git.kernel.org/stable/c/2e2028fcf924d1c6df017033c8d6e28b735a0508 -~~	() https://git.kernel.org/stable/c/2e2028fcf924d1c6df017033c8d6e28b735a0508 - Patch
References	~~() https://git.kernel.org/stable/c/431e58d56fcb5ff1f9eb630724a922e0d2a941df -~~	() https://git.kernel.org/stable/c/431e58d56fcb5ff1f9eb630724a922e0d2a941df - Patch
CWE		CWE-401

25 Jul 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-25 14:15

Updated : 2025-11-19 18:18

NVD link : CVE-2025-38405

Mitre link : CVE-2025-38405

CVE.ORG link : CVE-2025-38405

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

5.5 /10