{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-23151", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-01-11T14:28:41.513Z", "datePublished": "2025-05-01T12:55:38.833Z", "dateUpdated": "2025-05-26T05:19:33.101Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-26T05:19:33.101Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Fix race between unprepare and queue_buf\n\nA client driver may use mhi_unprepare_from_transfer() to quiesce\nincoming data during the client driver's tear down. The client driver\nmight also be processing data at the same time, resulting in a call to\nmhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs\nafter mhi_unprepare_from_transfer() has torn down the channel, a panic\nwill occur due to an invalid dereference leading to a page fault.\n\nThis occurs because mhi_gen_tre() does not verify the channel state\nafter locking it. Fix this by having mhi_gen_tre() confirm the channel\nstate is valid, or return error to avoid accessing deinitialized data.\n\n[mani: added stable tag]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bus/mhi/host/main.c"], "versions": [{"version": "176ed1727badd2fad2158e2b214dcbc24f4be7a1", "lessThan": "899d0353ea69681f474b6bc9de32c663b89672da", "status": "affected", "versionType": "git"}, {"version": "0b093176fd0967a5f56e2c86b0d48247f6c0fa0f", "lessThan": "3e7ecf181cbdde9753204ada3883ca1704d8702b", "status": "affected", "versionType": "git"}, {"version": "ce16274a6b8d1483d0d8383272deb2bfd1b577ca", "lessThan": "5f084993c90d9d0b4a52a349ede5120f992a7ca1", "status": "affected", "versionType": "git"}, {"version": "b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9", "lessThan": "a77955f7704b2a00385e232cbcc1cb06b5c7a425", "status": "affected", "versionType": "git"}, {"version": "b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9", "lessThan": "178e5657c8fd285125cc6743a81b513bce099760", "status": "affected", "versionType": "git"}, {"version": "b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9", "lessThan": "ee1fce83ed56450087309b9b74ad9bcb2b010fa6", "status": "affected", "versionType": "git"}, {"version": "b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9", "lessThan": "0686a818d77a431fc3ba2fab4b46bbb04e8c9380", "status": "affected", "versionType": "git"}, {"version": "642adb03541673f3897f64bbb62856ffd73807f5", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bus/mhi/host/main.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.181", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.135", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.88", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.24", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.12", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.3", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.149", "versionEndExcluding": "5.15.181"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.76", "versionEndExcluding": "6.1.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.15", "versionEndExcluding": "6.6.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.13.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.14.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/899d0353ea69681f474b6bc9de32c663b89672da"}, {"url": "https://git.kernel.org/stable/c/3e7ecf181cbdde9753204ada3883ca1704d8702b"}, {"url": "https://git.kernel.org/stable/c/5f084993c90d9d0b4a52a349ede5120f992a7ca1"}, {"url": "https://git.kernel.org/stable/c/a77955f7704b2a00385e232cbcc1cb06b5c7a425"}, {"url": "https://git.kernel.org/stable/c/178e5657c8fd285125cc6743a81b513bce099760"}, {"url": "https://git.kernel.org/stable/c/ee1fce83ed56450087309b9b74ad9bcb2b010fa6"}, {"url": "https://git.kernel.org/stable/c/0686a818d77a431fc3ba2fab4b46bbb04e8c9380"}], "title": "bus: mhi: host: Fix race between unprepare and queue_buf", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Fix race between unprepare and queue_buf\n\nA client driver may use mhi_unprepare_from_transfer() to quiesce\nincoming data during the client driver's tear down. The client driver\nmight also be processing data at the same time, resulting in a call to\nmhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs\nafter mhi_unprepare_from_transfer() has torn down the channel, a panic\nwill occur due to an invalid dereference leading to a page fault.\n\nThis occurs because mhi_gen_tre() does not verify the channel state\nafter locking it. Fix this by having mhi_gen_tre() confirm the channel\nstate is valid, or return error to avoid accessing deinitialized data.\n\n[mani: added stable tag]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bus: mhi: host: Correcci\u00f3n de la competencia entre unprepare y queue_buf. Un controlador de cliente podr\u00eda usar mhi_unprepare_from_transfer() para silenciar los datos entrantes durante su desconexi\u00f3n. El controlador de cliente tambi\u00e9n podr\u00eda estar procesando datos simult\u00e1neamente, lo que resulta en una llamada a mhi_queue_buf(), que invocar\u00e1 mhi_gen_tre(). Si mhi_gen_tre() se ejecuta despu\u00e9s de que mhi_unprepare_from_transfer() haya desconectado el canal, se producir\u00e1 un p\u00e1nico debido a una desreferencia no v\u00e1lida que provoca un fallo de p\u00e1gina. Esto ocurre porque mhi_gen_tre() no verifica el estado del canal despu\u00e9s de bloquearlo. Para solucionar esto, haga que mhi_gen_tre() confirme que el estado del canal es v\u00e1lido o devuelva un error para evitar acceder a los datos desinicializados. [mani: etiqueta estable a\u00f1adida]"}], "id": "CVE-2025-23151", "lastModified": "2025-05-02T13:53:20.943", "metrics": {}, "published": "2025-05-01T13:15:51.003", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0686a818d77a431fc3ba2fab4b46bbb04e8c9380"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/178e5657c8fd285125cc6743a81b513bce099760"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3e7ecf181cbdde9753204ada3883ca1704d8702b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5f084993c90d9d0b4a52a349ede5120f992a7ca1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/899d0353ea69681f474b6bc9de32c663b89672da"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a77955f7704b2a00385e232cbcc1cb06b5c7a425"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ee1fce83ed56450087309b9b74ad9bcb2b010fa6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: bus: mhi: host: Fix race between unprepare and queue_buf", "id": "2363342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363342"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-366", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbus: mhi: host: Fix race between unprepare and queue_buf\nA client driver may use mhi_unprepare_from_transfer() to quiesce\nincoming data during the client driver's tear down. The client driver\nmight also be processing data at the same time, resulting in a call to\nmhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs\nafter mhi_unprepare_from_transfer() has torn down the channel, a panic\nwill occur due to an invalid dereference leading to a page fault.\nThis occurs because mhi_gen_tre() does not verify the channel state\nafter locking it. Fix this by having mhi_gen_tre() confirm the channel\nstate is valid, or return error to avoid accessing deinitialized data.\n[mani: added stable tag]"], "name": "CVE-2025-23151", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-23151\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23151\nhttps://lore.kernel.org/linux-cve-announce/2025050128-CVE-2025-23151-aba7@gregkh/T"], "threat_severity": "Low"}