Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-37828
CVE-2025-37828:
Linux Debian vulnerability analysis and mitigation
Overview
A race condition vulnerability (CVE-2025-37828) was discovered in the Linux kernel's SCSI UFS MCQ implementation. The vulnerability was disclosed on May 8, 2025, affecting the Linux kernel's SCSI subsystem, specifically in the ufshcdmcqabort() function (NVD).
Technical details
The vulnerability occurs due to a race condition between the MCQ completion path and the abort handler. When a request completes, _blkmqfreerequest() sets rq->mqhctx to NULL, which can cause the subsequent ufshcdmcqreqtohwq() call in ufshcdmcq_abort() to return a NULL pointer. If this NULL pointer is dereferenced, it results in a kernel crash (NVD).
Impact
If successfully exploited, this vulnerability can lead to a kernel crash, resulting in a denial of service condition on the affected system (NVD).
Mitigation and workarounds
The fix involves adding a NULL check for the returned hwq pointer in the ufshcdmcqabort() function. If hwq is NULL, the system logs an error and returns FAILED, preventing the potential NULL-pointer dereference. The ufshcdcmdinflight() check has been removed as part of this fix (NVD).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management