CVE-2025-38238 in Linuxinfo

Summary

by MITRE • 07/09/2025

In the Linux kernel, the following vulnerability has been resolved:

scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out

When both the RHBA and RPA FDMI requests time out, fnic reuses a frame to send ABTS for each of them. On send completion, this causes an attempt to free the same frame twice that leads to a crash.

Fix crash by allocating separate frames for RHBA and RPA, and modify ABTS logic accordingly.

Tested by checking MDS for FDMI information.

Tested by using instrumented driver to:

- Drop PLOGI response - Drop RHBA response - Drop RPA response - Drop RHBA and RPA response - Drop PLOGI response + ABTS response - Drop RHBA response + ABTS response - Drop RPA response + ABTS response - Drop RHBA and RPA response + ABTS response for both of them

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/02/2026

The vulnerability described in CVE-2025-38238 resides within the Linux kernel's Fibre Channel over Ethernet (FCoE) Network Interface Controller (NIC) driver known as fnic. This issue manifests specifically within the fnic_wq_cmpl_handler function which processes completion events for work queue entries. The flaw occurs during the handling of FDMI (Fibre Channel Distance Management Interface) requests, which are essential for discovering and managing Fibre Channel fabric elements in storage area networks. When both RHBA (Registered Host Bus Adapter) and RPA (Registered Port Alias) FDMI requests experience timeouts, the driver enters an erroneous state where it attempts to reuse a single frame for sending ABTS (Abort Sequence) commands to both failed requests. This fundamental design flaw creates a double-free condition that results in system crashes and potential denial of service scenarios.

The technical root cause of this vulnerability stems from improper memory management within the FCoE driver's frame handling logic. According to CWE-415, this represents an explicit double-free error where the same memory frame is deallocated twice, leading to memory corruption and system instability. The fnic driver's implementation fails to maintain proper frame lifecycle management when processing multiple concurrent FDMI timeouts, causing the frame pointer to be freed once during the first ABTS completion and then again during the second ABTS completion. This pattern violates fundamental memory safety principles and creates an exploitable condition that can be triggered through specific network communication sequences involving timeout scenarios.

The operational impact of this vulnerability extends beyond simple system crashes to encompass potential data loss and service disruption in enterprise storage environments. Organizations relying on FCoE-based storage networks may experience unexpected system failures during normal operations when FDMI requests timeout, particularly in environments with high network traffic or intermittent connectivity issues. The vulnerability affects systems running Linux kernels with the fnic driver enabled, making it relevant to data center storage infrastructure, cloud computing platforms, and enterprise server environments that utilize FCoE protocols for storage connectivity. The crash condition can lead to complete system hangs or reboots, disrupting critical storage operations and potentially causing data integrity issues during active I/O operations.

Mitigation strategies for this vulnerability require immediate kernel updates from vendors who have implemented the fix, which involves allocating separate frames for each RHBA and RPA FDMI request processing. The fix addresses the core issue by ensuring that each ABTS command operates on distinct memory frames rather than reusing the same frame. Security teams should prioritize patch deployment across all affected systems, particularly in mission-critical environments where storage availability is paramount. Additionally, network monitoring solutions should be enhanced to detect unusual FDMI request patterns that might precede this vulnerability exploitation. The testing methodology employed during development included extensive instrumentation to verify proper frame allocation under various timeout conditions, including scenarios where PLOGI responses were dropped, FDMI responses were dropped individually or in combination, and ABTS responses were selectively dropped. This comprehensive testing approach ensures that the fix properly handles edge cases and maintains driver stability under real-world network conditions. Organizations should also consider implementing network segmentation and access controls to limit exposure to potential exploitation vectors while awaiting patch deployment, aligning with ATT&CK technique T1562.001 for privilege escalation and system recovery.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00129

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!