{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-38399", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.012Z", "datePublished": "2025-07-25T12:53:43.211Z", "dateUpdated": "2026-05-11T21:27:13.914Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:27:13.914Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()\n\nThe function core_scsi3_decode_spec_i_port(), in its error code path,\nunconditionally calls core_scsi3_lunacl_undepend_item() passing the\ndest_se_deve pointer, which may be NULL.\n\nThis can lead to a NULL pointer dereference if dest_se_deve remains\nunset.\n\nSPC-3 PR SPEC_I_PT: Unable to locate dest_tpg\nUnable to handle kernel paging request at virtual address dfff800000000012\nCall trace:\n core_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P)\n core_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod]\n core_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod]\n target_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod]\n\nFix this by adding a NULL check before calling\ncore_scsi3_lunacl_undepend_item()"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/target/target_core_pr.c"], "versions": [{"version": "f32ba612ef0f8eecaf6d2a5b04076ee7ea9ed039", "lessThan": "70ddb8133fdb512d4b1f2b4fd1c9e518514f182c", "status": "affected", "versionType": "git"}, {"version": "f32ba612ef0f8eecaf6d2a5b04076ee7ea9ed039", "lessThan": "1129e0e0a833acf90429e0f13951068d5f026e4f", "status": "affected", "versionType": "git"}, {"version": "f32ba612ef0f8eecaf6d2a5b04076ee7ea9ed039", "lessThan": "1627dda4d70ceb1ba62af2e401af73c09abb1eb5", "status": "affected", "versionType": "git"}, {"version": "f32ba612ef0f8eecaf6d2a5b04076ee7ea9ed039", "lessThan": "55dfffc5e94730370b08de02c0cf3b7c951bbe9e", "status": "affected", "versionType": "git"}, {"version": "f32ba612ef0f8eecaf6d2a5b04076ee7ea9ed039", "lessThan": "7296c938df2445f342be456a6ff0b3931d97f4e5", "status": "affected", "versionType": "git"}, {"version": "f32ba612ef0f8eecaf6d2a5b04076ee7ea9ed039", "lessThan": "c412185d557578d3f936537ed639c4ffaaed4075", "status": "affected", "versionType": "git"}, {"version": "f32ba612ef0f8eecaf6d2a5b04076ee7ea9ed039", "lessThan": "d8ab68bdb294b09a761e967dad374f2965e1913f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/target/target_core_pr.c"], "versions": [{"version": "5.9", "status": "affected"}, {"version": "0", "lessThan": "5.9", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.240", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.187", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.144", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.97", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.37", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.6", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "5.10.240"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "5.15.187"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.1.144"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.6.97"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.12.37"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.15.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/70ddb8133fdb512d4b1f2b4fd1c9e518514f182c"}, {"url": "https://git.kernel.org/stable/c/1129e0e0a833acf90429e0f13951068d5f026e4f"}, {"url": "https://git.kernel.org/stable/c/1627dda4d70ceb1ba62af2e401af73c09abb1eb5"}, {"url": "https://git.kernel.org/stable/c/55dfffc5e94730370b08de02c0cf3b7c951bbe9e"}, {"url": "https://git.kernel.org/stable/c/7296c938df2445f342be456a6ff0b3931d97f4e5"}, {"url": "https://git.kernel.org/stable/c/c412185d557578d3f936537ed639c4ffaaed4075"}, {"url": "https://git.kernel.org/stable/c/d8ab68bdb294b09a761e967dad374f2965e1913f"}], "title": "scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T17:37:31.744Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5394BF17-9E80-4744-BF31-079B38D9CF1D", "versionEndExcluding": "5.10.240", "versionStartIncluding": "5.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BD28D29-423C-4173-9DB8-3BA14E9F665D", "versionEndExcluding": "5.15.187", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "81CF08DB-B7A2-4556-8AE3-ED9144F50E31", "versionEndExcluding": "6.1.144", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB1BB991-B903-4718-966C-07C803CBEABC", "versionEndExcluding": "6.6.97", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B4159AA-C70D-4DE5-9EE2-8F2728F13C5D", "versionEndExcluding": "6.12.37", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E0BB4E0-44BC-4645-83A8-6EA232CE624C", "versionEndExcluding": "6.15.6", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*", "matchCriteriaId": "6D4894DB-CCFE-4602-B1BF-3960B2E19A01", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*", "matchCriteriaId": "09709862-E348-4378-8632-5A7813EDDC86", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()\n\nThe function core_scsi3_decode_spec_i_port(), in its error code path,\nunconditionally calls core_scsi3_lunacl_undepend_item() passing the\ndest_se_deve pointer, which may be NULL.\n\nThis can lead to a NULL pointer dereference if dest_se_deve remains\nunset.\n\nSPC-3 PR SPEC_I_PT: Unable to locate dest_tpg\nUnable to handle kernel paging request at virtual address dfff800000000012\nCall trace:\n core_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P)\n core_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod]\n core_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod]\n target_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod]\n\nFix this by adding a NULL check before calling\ncore_scsi3_lunacl_undepend_item()"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port(). La funci\u00f3n core_scsi3_decode_spec_i_port(), en su ruta de c\u00f3digo de error, llama incondicionalmente a core_scsi3_lunacl_undepend_item() pasando el puntero dest_se_deve, que puede ser NULL. Esto puede provocar una desreferencia de puntero NULL si dest_se_deve permanece sin definir. SPC-3 PR SPEC_I_PT: No se puede ubicar dest_tpg No se puede manejar la solicitud de paginaci\u00f3n del n\u00facleo en la direcci\u00f3n virtual dfff800000000012 Rastreo de llamadas: core_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P) core_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod] core_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod] target_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod] Solucione esto agregando una comprobaci\u00f3n NULL antes de llamar a core_scsi3_lunacl_undepend_item()"}], "id": "CVE-2025-38399", "lastModified": "2025-12-23T19:37:00.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-07-25T13:15:29.417", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1129e0e0a833acf90429e0f13951068d5f026e4f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1627dda4d70ceb1ba62af2e401af73c09abb1eb5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/55dfffc5e94730370b08de02c0cf3b7c951bbe9e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/70ddb8133fdb512d4b1f2b4fd1c9e518514f182c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7296c938df2445f342be456a6ff0b3931d97f4e5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c412185d557578d3f936537ed639c4ffaaed4075"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d8ab68bdb294b09a761e967dad374f2965e1913f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()", "id": "2383391", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2383391"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-754", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nscsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()\nThe function core_scsi3_decode_spec_i_port(), in its error code path,\nunconditionally calls core_scsi3_lunacl_undepend_item() passing the\ndest_se_deve pointer, which may be NULL.\nThis can lead to a NULL pointer dereference if dest_se_deve remains\nunset.\nSPC-3 PR SPEC_I_PT: Unable to locate dest_tpg\nUnable to handle kernel paging request at virtual address dfff800000000012\nCall trace:\ncore_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P)\ncore_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod]\ncore_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod]\ntarget_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod]\nFix this by adding a NULL check before calling\ncore_scsi3_lunacl_undepend_item()"], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-38399", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-07-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38399\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38399\nhttps://lore.kernel.org/linux-cve-announce/2025072510-CVE-2025-38399-00ec@gregkh/T"], "statement": "This patch fixes a kernel NULL pointer dereference in the target_core_pr module when handling malformed SPC-3 Persistent Reservation (SPEC_I_PT) commands.\nWithout the fix, an uninitialized dest_se_deve pointer may be dereferenced, leading to a kernel panic or crash.\nA simple NULL check prevents this error in the error path logic of core_scsi3_decode_spec_i_port().", "threat_severity": "Moderate"}

{"created": "2025-07-26T11:22:05.863045+00:00", "updated": "2025-07-26T11:22:05.863105+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}