CVE-2025-38700 in Linuxinfo

Summary

by MITRE • 09/04/2025

In the Linux kernel, the following vulnerability has been resolved:

scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated

In case of an ib_fast_reg_mr allocation failure during iSER setup, the machine hits a panic because iscsi_conn->dd_data is initialized unconditionally, even when no memory is allocated (dd_size == 0). This leads invalid pointer dereference during connection teardown.

Fix by setting iscsi_conn->dd_data only if memory is actually allocated.

Panic trace: ------------ iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12 iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers BUG: unable to handle page fault for address: fffffffffffffff8 RIP: 0010:swake_up_locked.part.5+0xa/0x40 Call Trace: complete+0x31/0x40 iscsi_iser_conn_stop+0x88/0xb0 [ib_iser]
iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi]
iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi]
iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi]
? netlink_lookup+0x12f/0x1b0 ? netlink_deliver_tap+0x2c/0x200 netlink_unicast+0x1ab/0x280 netlink_sendmsg+0x257/0x4f0 ? _copy_from_user+0x29/0x60 sock_sendmsg+0x5f/0x70

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/10/2026

The vulnerability described in CVE-2025-38700 resides within the Linux kernel's SCSI subsystem, specifically in the libiscsi implementation that handles iSCSI over InfiniBand connections. This issue manifests as a critical system panic occurring during iSER (iSCSI over InfiniBand) connection setup when memory allocation fails. The flaw demonstrates a classic improper initialization pattern where the dd_data field of the iscsi_conn structure is assigned regardless of whether memory allocation was successful, creating a scenario where uninitialized pointers are later dereferenced during connection teardown operations.

The technical root cause stems from a failure to properly validate memory allocation status before initializing the dd_data pointer. During iSER setup, when ib_fast_reg_mr allocation fails with error code -12 indicating memory exhaustion, the code continues to initialize iscsi_conn->dd_data unconditionally. This initialization occurs even when dd_size is zero, meaning no actual memory was allocated for the data descriptor. The subsequent connection teardown process then attempts to access this invalid pointer, resulting in a page fault that triggers a kernel panic. This pattern violates fundamental memory safety principles and represents a clear violation of CWE-457: Use of Uninitialized Variable, which directly impacts system stability and availability.

The operational impact of this vulnerability extends beyond simple system crashes to encompass potential denial of service scenarios across network storage environments. Systems utilizing iSCSI over InfiniBand for storage connectivity become vulnerable to uncontrolled kernel panics whenever memory allocation failures occur during connection establishment. This creates a significant risk for enterprise storage infrastructures where continuous availability is critical, as even transient memory pressure conditions can trigger system-wide outages. The vulnerability affects the ATT&CK technique T1499.004: Endpoint Denial of Service, specifically targeting system resources through kernel-level memory management failures. The panic trace demonstrates a clear path from allocation failure through improper initialization to kernel page fault handling, indicating that the vulnerability exists in the core connection management logic rather than peripheral components.

Mitigation strategies for CVE-2025-38700 require immediate kernel updates from vendors who have addressed this specific memory initialization flaw. The fix implements a conditional assignment pattern that only sets iscsi_conn->dd_data when memory allocation actually succeeds, preventing the invalid pointer dereference during teardown. Organizations should prioritize patching their kernel versions to include this fix, particularly in environments running iSCSI over InfiniBand storage solutions. Additionally, system administrators should implement monitoring for memory allocation failures and consider implementing memory pressure handling policies that can prevent the conditions leading to this vulnerability. The remediation aligns with security best practices for memory management and follows established patterns for preventing kernel-level crashes through proper initialization validation, addressing both the immediate vulnerability and reducing the attack surface for similar memory-related issues in the SCSI transport layer.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/04/2025

Moderation

accepted

CPE

ready

EPSS

0.00160

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!