CVE-2025-38326: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38326 is a vulnerability discovered in the Linux kernel, specifically affecting the AoE (ATA over Ethernet) device handling. The vulnerability was disclosed on July 10, 2025. It affects various Linux distributions including Ubuntu and Debian systems running vulnerable kernel versions (NVD, Ubuntu).

The vulnerability exists in the AoE device's rq_list handling, which contains accepted block requests waiting to be transmitted to the AoE target. The issue arose after the conversion to blk_mq, where the queue was not properly cleaned out when an AoE device is downed. This caused blk_mq_freeze_queue() to sleep indefinitely while waiting for requests to complete, resulting in a system hang (NVD).

The vulnerability can cause system hangs when AoE devices are being downed, potentially affecting system availability and operational stability. This is particularly relevant for systems using ATA over Ethernet storage configurations (NVD).

A fix has been implemented that cleans out the queue before calling blk_mq_freeze_queue(). The fix is available in updated kernel versions. Ubuntu has marked this as a medium priority issue and is working on updates for affected versions. Debian has also acknowledged the vulnerability and has fixed it in their trixie and sid releases (Ubuntu, Debian).