CVE-2025-38658 in Linux
Summary
by MITRE • 08/22/2025
In the Linux kernel, the following vulnerability has been resolved:
nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails
Have nvmet_req_init() and req->execute() complete failed commands.
Description of the problem: nvmet_req_init() calls __nvmet_req_complete() internally upon failure, e.g., unsupported opcode, which calls the "queue_response" callback, this results in nvmet_pci_epf_queue_response() being called, which will call nvmet_pci_epf_complete_iod() if data_len is 0 or if dma_dir is different from DMA_TO_DEVICE. This results in a double completion as nvmet_pci_epf_exec_iod_work() also calls nvmet_pci_epf_complete_iod() when nvmet_req_init() fails.
Steps to reproduce: On the host send a command with an unsupported opcode with nvme-cli, For example the admin command "security receive" $ sudo nvme security-recv /dev/nvme0n1 -n1 -x4096
This triggers a double completion as nvmet_req_init() fails and nvmet_pci_epf_queue_response() is called, here iod->dma_dir is still in the default state of "DMA_NONE" as set by default in nvmet_pci_epf_alloc_iod(), so nvmet_pci_epf_complete_iod() is called. Because nvmet_req_init() failed nvmet_pci_epf_complete_iod() is also called in nvmet_pci_epf_exec_iod_work() leading to a double completion. This not only sends two completions to the host but also corrupts the state of the PCI NVMe target leading to kernel oops.
This patch lets nvmet_req_init() and req->execute() complete all failed commands, and removes the double completion case in nvmet_pci_epf_exec_iod_work() therefore fixing the edge cases where double completions occurred.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/29/2026
The vulnerability identified as CVE-2025-38658 resides within the Linux kernel's NVMe over Fabrics target implementation, specifically affecting the pci-epf (PCI Endpoint Function) subsystem. This flaw represents a critical double completion issue that occurs when processing NVMe commands with unsupported opcodes, creating a scenario where the same I/O operation receives two completion notifications. The vulnerability stems from improper handling of command initialization failures within the nvmet subsystem, where the nvmet_req_init() function internally calls __nvmet_req_complete() upon encountering unsupported opcodes, leading to an unintended sequence of completion callbacks that ultimately results in kernel memory corruption and potential system instability.
The technical root cause of this vulnerability lies in the improper state management and callback execution flow within the NVMe target driver. When nvmet_req_init() fails to process a command due to unsupported opcode, it invokes __nvmet_req_complete() which in turn triggers the queue_response callback mechanism. This callback path leads to nvmet_pci_epf_queue_response() being executed, which then calls nvmet_pci_epf_complete_iod() based on specific DMA direction criteria. However, the same command completion occurs again in nvmet_pci_epf_exec_iod_work() when the function checks for nvmet_req_init() failure, creating an unavoidable double completion scenario. The problem is particularly exacerbated because the iod->dma_dir remains in its default DMA_NONE state as initialized by nvmet_pci_epf_alloc_iod(), ensuring that nvmet_pci_epf_complete_iod() gets invoked twice for the same I/O operation.
The operational impact of this vulnerability extends beyond simple command failure, as it creates a kernel oops condition that can lead to system crashes and potential denial of service scenarios. The double completion mechanism not only sends erroneous completion notifications to the host system but also corrupts the internal state of the PCI NVMe target subsystem, potentially allowing for further exploitation or system instability. This vulnerability specifically affects systems running Linux kernels with NVMe over Fabrics target support, particularly those implementing PCIe endpoint functionality, and poses significant risks to data center environments where NVMe storage performance and reliability are critical. The issue manifests when processing unsupported admin commands such as security receive operations, making it particularly concerning for storage administrators who may inadvertently trigger these conditions through command line tools like nvme-cli.
The fix for CVE-2025-38658 addresses the core issue by ensuring that nvmet_req_init() and req->execute() properly complete all failed commands while removing the redundant completion case in nvmet_pci_epf_exec_iod_work(). This patch resolves the edge cases that previously led to double completions by establishing a clear single completion path for failed commands, thereby preventing the kernel memory corruption and oops conditions that occurred. The solution aligns with security best practices for kernel memory management and I/O completion handling, preventing potential privilege escalation or denial of service attacks that could exploit this double completion scenario. This vulnerability classification aligns with CWE-129 and CWE-131 categories related to improper input validation and buffer overflow conditions, while also mapping to ATT&CK techniques involving privilege escalation and system stability compromise through kernel-level vulnerabilities. Organizations should prioritize applying this patch to mitigate the risk of system instability and potential exploitation in production environments utilizing NVMe over Fabrics target functionality.