Denial of Service in Linux Kernel nvme-fc Module
CVE-2025-40261

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 4 December 2025

What is CVE-2025-40261?

A vulnerability exists in the Linux kernel's nvme-fc module, where the improper cancellation of I/O error work can lead to system instability. Specifically, in the nvme_fc_delete_ctrl function, the cancellation of the ->ioerr_work must occur after the nvme_fc_delete_association function is called. Failure to do so can result in a list_del corruption, causing kernel crashes and impacting system performance, especially under heavy I/O operations.

Affected Version(s)

Linux 19fce0470f05031e6af36e49ce222d0f0050d432 < 33f64600a12055219bda38b55320c62cdeda9167

Linux 19fce0470f05031e6af36e49ce222d0f0050d432 < 48ae433c6cc6985f647b1b37d8bb002972cf9bdb

Linux 19fce0470f05031e6af36e49ce222d0f0050d432

References

https://git.kernel.org/stable/c/33f64600a12055219bda38b55...

https://git.kernel.org/stable/c/48ae433c6cc6985f647b1b37d...

https://git.kernel.org/stable/c/fbd5741a556eaaa63d0908132...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2025
Vulnerability Reserved
Apr 16, 2025

JSON