CVE-2025-22068

HIGH

Linux Kernel 6.7-6.12.22, 6.13.0-6.13.10, 6.14.0-6.14.1 - Use-After-Free in ublk Queue Freeze Handling

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: ublk: make sure ubq->canceling is set when queue is frozen Now ublk driver depends on `ubq->canceling` for deciding if the request can be dispatched via uring_cmd & io_uring_cmd_complete_in_task(). Once ubq->canceling is set, the uring_cmd can be done via ublk_cancel_cmd() and io_uring_cmd_done(). So set ubq->canceling when queue is frozen, this way makes sure that the flag can be observed from ublk_queue_rq() reliably, and avoids use-after-free on uring_cmd.

References (4)

Core 4

Core References

Patch

https://git.kernel.org/stable/c/7e3497d7dacb5aee69dd9be842b778083cae0e75

Patch

https://git.kernel.org/stable/c/5491400589e7572c2d2627ed6384302f7672aa1d

Patch

https://git.kernel.org/stable/c/9158359015f0eda00e521e35b7bc7ebce176aebf

Patch

https://git.kernel.org/stable/c/8741d0737921ec1c03cf59aebf4d01400c2b461a

Scores

CVSS v3 7.8

EPSS 0.0017

EPSS Percentile 6.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-416

Status published

Products (14)

linux/Kernel 6.13.0 - 6.13.11linux

linux/Kernel 6.14.0 - 6.14.2linux

linux/Kernel 6.7.0 - 6.12.23linux

Linux/Linux < 6.7

Linux/Linux 216c8f5ef0f209a3797292c487bdaa6991ab4b92 - 5491400589e7572c2d2627ed6384302f7672aa1d

Linux/Linux 216c8f5ef0f209a3797292c487bdaa6991ab4b92 - 7e3497d7dacb5aee69dd9be842b778083cae0e75

Linux/Linux 216c8f5ef0f209a3797292c487bdaa6991ab4b92 - 8741d0737921ec1c03cf59aebf4d01400c2b461a

Linux/Linux 216c8f5ef0f209a3797292c487bdaa6991ab4b92 - 9158359015f0eda00e521e35b7bc7ebce176aebf

Linux/Linux 6.12.23 - 6.12.*

Linux/Linux 6.13.11 - 6.13.*

... and 4 more

Published Apr 16, 2025

Tracked Since Feb 18, 2026