CVE-2025-38695 in Linux
Summary
by MITRE • 09/04/2025
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure
If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may occur before sli4_hba.hdwqs are allocated. This may result in a null pointer dereference when attempting to take the abts_io_buf_list_lock for the first hardware queue. Fix by adding a null ptr check on phba->sli4_hba.hdwq and early return because this situation means there must have been an error during port initialization.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/10/2026
The vulnerability described in CVE-2025-38695 represents a critical null pointer dereference issue within the Linux kernel's SCSI subsystem, specifically affecting the LightPulse Fibre Channel (lpfc) driver implementation. This flaw exists in the lpfc_vport structure cleanup process and stems from improper error handling during hardware queue initialization. The vulnerability manifests when the lpfc_sli4_read_rev() function fails during the lpfc_sli4_hba_setup() initialization sequence, creating a scenario where cleanup operations are executed prematurely before the necessary hardware queue structures have been properly allocated. This particular issue falls under the CWE-476 category of NULL Pointer Dereference, which represents one of the most common and dangerous classes of software vulnerabilities in kernel space implementations.
The technical execution of this vulnerability occurs within the lpfc_sli4_vport_delete_fcp_xri_aborted() cleanup routine, which attempts to access the hdwq (hardware queue) structure without proper validation of its existence. When lpfc_sli4_read_rev() fails during initialization, the system proceeds to clean up resources but encounters a null pointer dereference when attempting to acquire the abts_io_buf_list_lock for the first hardware queue. This specific locking mechanism is essential for maintaining data integrity during I/O buffer management operations in the Fibre Channel protocol implementation. The flaw demonstrates poor defensive programming practices where the driver fails to validate hardware queue allocation status before attempting resource cleanup operations, directly violating the principle of defensive programming that should be enforced in kernel-level code.
The operational impact of this vulnerability extends beyond simple system stability concerns to potentially enable denial of service conditions or even privilege escalation scenarios within the kernel space. When a null pointer dereference occurs in kernel mode, the system typically experiences a kernel panic or system crash, resulting in complete service interruption for all Fibre Channel storage operations managed by the affected lpfc driver. This vulnerability affects systems utilizing LightPulse Fibre Channel HBAs, particularly those implementing the SLI-4 architecture, and could impact enterprise storage environments where continuous availability is critical. The vulnerability aligns with ATT&CK technique T1068 by exploiting a kernel-level programming error that could potentially be leveraged by malicious actors to cause system instability or gain elevated privileges within the kernel execution context.
The mitigation strategy for this vulnerability requires implementing proper null pointer validation before accessing hardware queue structures during cleanup operations. The fix involves adding a null pointer check on phba->sli4_hba.hdwq and implementing an early return mechanism when this condition is detected, as the presence of a null hardware queue pointer during cleanup indicates that an initialization error has already occurred. This approach follows the principle of fail-fast error handling and prevents the execution of cleanup routines when the underlying hardware structures are not properly initialized. System administrators should prioritize applying the kernel patches that implement this fix, particularly in production environments where Fibre Channel storage systems are deployed. The vulnerability also highlights the importance of comprehensive error handling in kernel drivers and demonstrates the necessity of proper resource management protocols that ensure hardware queue structures are fully initialized before any cleanup operations are attempted, aligning with industry best practices for kernel development and security hardening.