CVE-2025-23154: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability (CVE-2025-23154) was discovered in the Linux kernel affecting the io_uring subsystem, specifically related to io_req_post_cqe abuse by send bundle. The issue was identified and disclosed on May 1, 2025, impacting the Linux kernel's io_uring networking functionality (NVD, Wiz).

The vulnerability involves improper handling of io_req_post_cqe() which should only be used by multishot requests (REQ_F_APOLL_MULTISHOT), but was being incorrectly used with bundled sends. The issue manifests in the io_uring/io_uring.c file at line 872, triggering CPU warnings and potentially causing system instability. The vulnerability has received a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability affects various Linux distributions including Debian Bullseye, Bookworm, and Trixie. While Bullseye and Bookworm were marked as not affected due to the vulnerable code not being present, Trixie was marked as vulnerable until the fix was implemented (Debian Tracker).

The issue has been resolved in various Linux kernel versions. Debian has implemented fixes in version 6.12.25-1 for sid. Red Hat Enterprise Linux 9 has deferred the fix for both kernel and kernel-rt packages. Users are advised to update to the patched versions to mitigate this vulnerability (Debian Tracker, Red Hat).