🛡️ UBUNTU-CVE-2025-68331
⚪ Unknown ✅ No Known Exploit OSV
N/A
CVSS Score
0 Low4 Medium7 High9 Critical10

Description

In the Linux kernel, the following vulnerability has been resolved: usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer When a UAS device is unplugged during data transfer, there is a probability of a system panic occurring. The root cause is an access to an invalid memory address during URB callback handling. Specifically, this happens when the dma_direct_unmap_sg() function is called within the usb_hcd_unmap_urb_for_dma() interface, but the sg->dma_address field is 0 and the sg data structure has already been freed. The SCSI driver sends transfer commands by invoking uas_queuecommand_lck() in uas.c, using the uas_submit_urbs() function to submit requests to USB. Within the uas_submit_urbs() implementation, three URBs (sense_urb, data_urb, and cmd_urb) are sequentially submitted. Device removal may occur at any point during uas_submit_urbs execution, which may result in URB submission failure. However, some URBs might have been successfully submitted before the failure, and uas_submit_urbs will return the -ENODEV error code in this case. The current error handling directly calls scsi_done(). In the SCSI driver, this eventually triggers scsi_complete() to invoke scsi_end_request() for releasing the sgtable. The successfully submitted URBs, when being unlinked to giveback, call usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg unmapping operations since the sg data structure has already been freed. This patch modifies the error condition check in the uas_submit_urbs() function. When a UAS device is removed but one or more URBs have already been successfully submitted to USB, it avoids immediately invoking scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully submitted URBs is completed before devinfo->resetting being set, then the scsi_done() function will be called within uas_try_complete() after all pending URB operations are finalized. Otherwise, the scsi_done() function will be called within uas_zap_pending(), which is executed after usb_kill_anchored_urbs(). The error handling only takes effect when uas_queuecommand_lck() calls uas_submit_urbs() and returns the error value -ENODEV . In this case, the device is disconnected, and the flow proceeds to uas_disconnect(), where uas_zap_pending() is invoked to call uas_try_complete().

Details

Severity Unknown
CVSS Score N/A
CVSS Vector N/A
CWE N/A
Public Exploit ✅ No
Source OSV
Published 2025-12-22
Updated 2026-06-15
Modified 2026-06-08
Fix URL N/A

Affected Packages

Software From version Fixed in
linux 6.17.0-19.19
linux-allwinner-5.19
linux-aws 6.17.0-1009.9
linux-aws-5.0
linux-aws-5.11
linux-aws-5.13
linux-aws-5.15 5.15.0-1103.110~20.04.1
linux-aws-5.19
linux-aws-5.3
linux-aws-5.8
linux-aws-6.14
linux-aws-6.17 6.17.0-1009.9~24.04.2
linux-aws-6.2
linux-aws-6.5
linux-aws-6.8 6.8.0-1050.53~22.04.1
linux-aws-fips 6.8.0-1050.53+fips1
linux-azure 6.17.0-1010.10
linux-azure-5.11
linux-azure-5.13
linux-azure-5.15 5.15.0-1110.119~20.04.1
linux-azure-5.19
linux-azure-5.3
linux-azure-5.8
linux-azure-6.11
linux-azure-6.14
linux-azure-6.17 6.17.0-1010.10~24.04.1
linux-azure-6.2
linux-azure-6.5
linux-azure-6.8 6.8.0-1051.57~22.04.1
linux-azure-edge
linux-azure-fde
linux-azure-fde-5.19
linux-azure-fde-6.14
linux-azure-fde-6.17
linux-azure-fde-6.2
linux-azure-fde-6.8
linux-azure-fips 6.8.0-1052.58+fips1
linux-azure-nvidia
linux-azure-nvidia-6.14
linux-bluefield
linux-fips 6.8.0-106.106+fips1
linux-gcp 6.17.0-1009.9
linux-gcp-5.11
linux-gcp-5.13
linux-gcp-5.15 5.15.0-1103.112~20.04.1
linux-gcp-5.19
linux-gcp-5.3
linux-gcp-5.8
linux-gcp-6.11
linux-gcp-6.14
linux-gcp-6.17 6.17.0-1009.9~24.04.3
linux-gcp-6.2
linux-gcp-6.5
linux-gcp-6.8 6.8.0-1052.55~22.04.1
linux-gcp-fips 6.8.0-1052.55+fips1
linux-gke 6.8.0-1048.53
linux-gke-4.15
linux-gke-5.15
linux-gke-5.4
linux-gkeop 6.8.0-1035.38
linux-gkeop-5.15
linux-gkeop-5.4
linux-hwe
linux-hwe-5.11
linux-hwe-5.13
linux-hwe-5.15 5.15.0-173.183~20.04.1
linux-hwe-5.19
linux-hwe-5.8
linux-hwe-6.11
linux-hwe-6.14
linux-hwe-6.17 6.17.0-19.19~24.04.2
linux-hwe-6.2
linux-hwe-6.5
linux-hwe-6.8 6.8.0-106.106~22.04.1
linux-hwe-edge
linux-ibm 6.8.0-1049.49
linux-ibm-5.15 5.15.0-1097.100~20.04.1
linux-ibm-6.8 6.8.0-1049.49~22.04.1
linux-intel-5.13
linux-intel-iot-realtime 5.15.0-1094.96
linux-intel-iotg 5.15.0-1098.104
linux-intel-iotg-5.15 5.15.0-1098.104~20.04.1
linux-kvm 5.15.0-1095.100
linux-lowlatency 6.8.0-106.106.1
linux-lowlatency-hwe-5.15 5.15.0-173.183~20.04.1
linux-lowlatency-hwe-5.19
linux-lowlatency-hwe-6.11
linux-lowlatency-hwe-6.2
linux-lowlatency-hwe-6.5
linux-lowlatency-hwe-6.8 6.8.0-106.106.1~22.04.1
linux-nvidia 6.8.0-1049.52
linux-nvidia-6.11
linux-nvidia-6.17 6.17.0-1018.18
linux-nvidia-6.2
linux-nvidia-6.5
linux-nvidia-6.8 6.8.0-1049.52~22.04.1
linux-nvidia-lowlatency 6.8.0-1049.52.1
linux-nvidia-tegra 6.8.0-1020.20
linux-nvidia-tegra-5.15 5.15.0-1055.55~20.04.1
linux-nvidia-tegra-igx 5.15.0-1044.44
linux-oem
linux-oem-5.10
linux-oem-5.13
linux-oem-5.14
linux-oem-5.17
linux-oem-5.6
linux-oem-6.0
linux-oem-6.1
linux-oem-6.11
linux-oem-6.14
linux-oem-6.17 6.17.0-1017.17
linux-oem-6.5
linux-oem-6.8
linux-oracle 6.17.0-1009.9
linux-oracle-5.0
linux-oracle-5.11
linux-oracle-5.13
linux-oracle-5.15 5.15.0-1100.106~20.04.1
linux-oracle-5.3
linux-oracle-5.8
linux-oracle-6.14
linux-oracle-6.17 6.17.0-1009.9~24.04.1
linux-oracle-6.5
linux-oracle-6.8 6.8.0-1047.48~22.04.1
linux-raspi 6.17.0-1010.10
linux-raspi-realtime 6.8.0-2040.41
linux-raspi2
linux-realtime 6.17.0-1008.9
linux-realtime-6.14
linux-realtime-6.17 6.17.0-1008.9~24.04.1
linux-realtime-6.8 6.8.1-1045.46~22.04.1
linux-riscv 6.17.0-19.19.1
linux-riscv-5.11
linux-riscv-5.15 5.15.0-1097.101~20.04.1
linux-riscv-5.19
linux-riscv-5.8
linux-riscv-6.14
linux-riscv-6.17 6.17.0-19.19.1~24.04.1
linux-riscv-6.5
linux-riscv-6.8 6.8.0-106.106~22.04.1
linux-starfive-5.19
linux-starfive-6.2
linux-starfive-6.5
linux-xilinx 6.8.0-1028.29
linux-xilinx-zynqmp 5.15.0-1067.71

References

Similar Threats

Exploit Protection

Help block exploit attempts

BotEraser is designed to detect and help reduce malicious bot traffic that may target known vulnerabilities on your site.

Try BotEraser Free →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.