{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-38594", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.028Z", "datePublished": "2025-08-19T17:03:19.689Z", "dateUpdated": "2026-05-11T21:31:16.291Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:31:16.291Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix UAF on sva unbind with pending IOPFs\n\nCommit 17fce9d2336d (\"iommu/vt-d: Put iopf enablement in domain attach\npath\") disables IOPF on device by removing the device from its IOMMU's\nIOPF queue when the last IOPF-capable domain is detached from the device.\nUnfortunately, it did this in a wrong place where there are still pending\nIOPFs. As a result, a use-after-free error is potentially triggered and\neventually a kernel panic with a kernel trace similar to the following:\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0\n Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf\n Call Trace:\n <TASK>\n iopf_free_group+0xe/0x20\n process_one_work+0x197/0x3d0\n worker_thread+0x23a/0x350\n ? rescuer_thread+0x4a0/0x4a0\n kthread+0xf8/0x230\n ? finish_task_switch.isra.0+0x81/0x260\n ? kthreads_online_cpu+0x110/0x110\n ? kthreads_online_cpu+0x110/0x110\n ret_from_fork+0x13b/0x170\n ? kthreads_online_cpu+0x110/0x110\n ret_from_fork_asm+0x11/0x20\n </TASK>\n ---[ end trace 0000000000000000 ]---\n\nThe intel_pasid_tear_down_entry() function is responsible for blocking\nhardware from generating new page faults and flushing all in-flight\nones. Therefore, moving iopf_for_domain_remove() after this function\nshould resolve this."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/iommu/intel/iommu.c"], "versions": [{"version": "17fce9d2336d952b95474248303e5e7d9777f2e0", "lessThan": "c68332b7ee893292bba6e87d31ef2080c066c65d", "status": "affected", "versionType": "git"}, {"version": "17fce9d2336d952b95474248303e5e7d9777f2e0", "lessThan": "f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/iommu/intel/iommu.c"], "versions": [{"version": "6.16", "status": "affected"}, {"version": "0", "lessThan": "6.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.1", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.16.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c68332b7ee893292bba6e87d31ef2080c066c65d"}, {"url": "https://git.kernel.org/stable/c/f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2"}], "title": "iommu/vt-d: Fix UAF on sva unbind with pending IOPFs", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:*:*:*:*:*:*:*", "matchCriteriaId": "D6BFC4F7-7099-4420-AF39-DD1CEABB8DF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix UAF on sva unbind with pending IOPFs\n\nCommit 17fce9d2336d (\"iommu/vt-d: Put iopf enablement in domain attach\npath\") disables IOPF on device by removing the device from its IOMMU's\nIOPF queue when the last IOPF-capable domain is detached from the device.\nUnfortunately, it did this in a wrong place where there are still pending\nIOPFs. As a result, a use-after-free error is potentially triggered and\neventually a kernel panic with a kernel trace similar to the following:\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0\n Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf\n Call Trace:\n <TASK>\n iopf_free_group+0xe/0x20\n process_one_work+0x197/0x3d0\n worker_thread+0x23a/0x350\n ? rescuer_thread+0x4a0/0x4a0\n kthread+0xf8/0x230\n ? finish_task_switch.isra.0+0x81/0x260\n ? kthreads_online_cpu+0x110/0x110\n ? kthreads_online_cpu+0x110/0x110\n ret_from_fork+0x13b/0x170\n ? kthreads_online_cpu+0x110/0x110\n ret_from_fork_asm+0x11/0x20\n </TASK>\n ---[ end trace 0000000000000000 ]---\n\nThe intel_pasid_tear_down_entry() function is responsible for blocking\nhardware from generating new page faults and flushing all in-flight\nones. Therefore, moving iopf_for_domain_remove() after this function\nshould resolve this."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu/vt-d: Correcci\u00f3n de UAF en la desvinculaci\u00f3n de sva con IOPF pendientes. El commit 17fce9d2336d (\"iommu/vt-d: Colocar la habilitaci\u00f3n de iopf en la ruta de conexi\u00f3n del dominio\") deshabilita IOPF en el dispositivo elimin\u00e1ndolo de la cola de IOPF de su IOMMU cuando el \u00faltimo dominio con capacidad para IOPF se desvincula del dispositivo. Desafortunadamente, esto se realiz\u00f3 en un lugar incorrecto donde a\u00fan hay IOPF pendientes. Como resultado, se puede generar un error de use-after-free y, finalmente, un p\u00e1nico del kernel con un seguimiento del kernel similar al siguiente: refcount_t: underflow; use-after-free. ADVERTENCIA: CPU: 3 PID: 313 en lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 Cola de trabajo: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf Rastreo de llamadas: iopf_free_group+0xe/0x20 process_one_work+0x197/0x3d0 worker_thread+0x23a/0x350 ? rescuer_thread+0x4a0/0x4a0 kthread+0xf8/0x230 ? finish_task_switch.isra.0+0x81/0x260 ? kthreads_online_cpu+0x110/0x110 ? kthreads_online_cpu+0x110/0x110 ret_from_fork+0x13b/0x170 ? kthreads_online_cpu+0x110/0x110 ret_from_fork_asm+0x11/0x20 ---[ end trace 0000000000000000 ]--- La funci\u00f3n intel_pasid_tear_down_entry() se encarga de impedir que el hardware genere nuevos fallos de p\u00e1gina y de eliminar todos los que se est\u00e1n ejecutando. Por lo tanto, mover iopf_for_domain_remove() despu\u00e9s de esta funci\u00f3n deber\u00eda resolver este problema."}], "id": "CVE-2025-38594", "lastModified": "2025-11-26T18:01:19.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-08-19T17:15:37.213", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c68332b7ee893292bba6e87d31ef2080c066c65d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: iommu/vt-d: Fix UAF on sva unbind with pending IOPFs", "id": "2389468", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2389468"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-38594", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38594\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38594\nhttps://lore.kernel.org/linux-cve-announce/2025081918-CVE-2025-38594-d686@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-08-21T12:31:38.187619+00:00", "updated": "2025-08-21T12:31:38.187675+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}