In the Linux kernel, the following vulnerability has been resolved:

vhost-scsi: protect vq->log_used with vq->mutex

The vhost-scsi completion path may access vq->log_base when vq->log_used is
already set to false.

vhost-thread QEMU-thread

vhost_scsi_complete_cmd_work()
-> vhost_add_used()
-> vhost_add_used_n()
if (unlikely(vq->log_used))
QEMU disables vq->log_used
via VHOST_SET_VRING_ADDR.
mutex_lock(&vq->mutex);
vq->log_used = false now!
mutex_unlock(&vq->mutex);

QEMU gfree(vq->log_base)
log_used()
-> log_write(vq->log_base)

Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be
reclaimed via gfree(). As a result, this causes invalid memory writes to
QEMU userspace.

The control queue path has the same issue.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00053.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Linux
  • Linux Kernel

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Linux
  • Linux Kernel
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/59614c5acf6688f7af3c245d359082c0e9e53117 cve-icon cve-icon
https://git.kernel.org/stable/c/80cf68489681c165ded460930e391b1eb37b5f6f cve-icon cve-icon
https://git.kernel.org/stable/c/8312a1ccff1566f375191a89b9ba71b6eb48a8cd cve-icon cve-icon
https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427 cve-icon cve-icon
https://git.kernel.org/stable/c/c0039e3afda29be469d29b3013d7f9bdee136834 cve-icon cve-icon
https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c cve-icon cve-icon
https://git.kernel.org/stable/c/f591cf9fce724e5075cc67488c43c6e39e8cbe27 cve-icon cve-icon
https://lore.kernel.org/linux-cve-announce/2025061839-CVE-2025-38074-dc14@gregkh/T cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-38074 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-38074 cve-icon
History

Thu, 17 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
References

Fri, 20 Jun 2025 23:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 18 Jun 2025 09:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.
Title vhost-scsi: protect vq->log_used with vq->mutex
References
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2025-07-17T16:55:34.504Z

Reserved: 2025-04-16T04:51:23.980Z

Link: CVE-2025-38074

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-06-18T10:15:40.850

Modified: 2025-07-17T17:15:36.540

Link: CVE-2025-38074

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-06-18T00:00:00Z

Links: CVE-2025-38074 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-06-23T08:53:47Z