CVE-2025-38174: 
Linux Debian vulnerability analysis and mitigation

A vulnerability in the Linux kernel's Thunderbolt subsystem was discovered and assigned CVE-2025-38174. The issue was reported on July 4, 2025, affecting the Linux kernel version 6.6.65 and potentially other versions. The vulnerability involves a double dequeue operation in the thunderbolt configuration request handling mechanism (NVD).

The vulnerability occurs in the tbcfgrequestdequeue() function where a configuration request can be scheduled twice: first via frame.callback from ringwork() and second time from tbcfgrequest(). This double scheduling results in both kworkers executing tbcfgrequestdequeue(), leading to a double listdel() operation on the ctl->request_queue. The issue manifests as a general protection fault with a non-canonical address 0xdead000000000122, indicating a list poison dereference (NVD).

The vulnerability can cause system crashes in affected devices, specifically triggering a general protection fault in the kernel. This affects the system stability and can lead to denial of service conditions (Debian Security).

The issue has been fixed in Linux kernel version 6.12.33-1 and later versions. The fix involves adding a check to prevent dequeuing requests that don't have the TBCFGREQUEST_ACTIVE bit set (Debian Security).