Data Race Vulnerability in Linux Kernel Affecting SCSI UFS Component

CVE-2025-40130

What is CVE-2025-40130?

A data race vulnerability has been identified in the Linux kernel's SCSI UFS component, specifically in the handling of CPU latency PM QoS requests. The interfaces intended for managing these requests lack adequate internal synchronization mechanisms, which results in the potential for concurrent access issues. This can lead to data races and corruption of list structures when multiple threads attempt to access PM QoS resources simultaneously. The vulnerability emerges due to reliance on an insufficient flag for synchronization, necessitating a more robust approach. A new mutex has been introduced to serialize PM QoS operations, thereby enhancing thread safety and protecting against data corruption.

References