Linux Kernel Vulnerability in vhost-scsi of QEMU
CVE-2025-38074

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 18 June 2025

What is CVE-2025-38074?

A vulnerability in the vhost-scsi subsystem of the Linux kernel allows access to the vq->log_base when vq->log_used is improperly managed. This can result in invalid memory writes to QEMU userspace due to improper synchronization mechanisms. The issue arises when configurations from QEMU disable vq->log_used while the completion path attempts to log memory operations. Such a flaw can be exploited when the control queue path handles vq->log_base, permitting attackers to potentially corrupt memory and lead to system instability. Systems running QEMU should be updated to the latest version to mitigate this risk.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

References

https://git.kernel.org/stable/c/ca85c2d0db5f8309832be4585...

https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3...

https://git.kernel.org/stable/c/c0039e3afda29be469d29b301...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2025
Vulnerability Reserved
Apr 16, 2025