CVE-2025-37828

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition can occur between the MCQ completion path and the abort handler in the Linux kernel. Once a request completes, blk mq free request() sets rq->mq hctx to NULL, meaning the subsequent ufshcd mcq req to hwq() call in ufshcd mcq abort() can return a NULL pointer. If this NULL pointer is dereferenced, the kernel will crash. A NULL check has been added for the returned hwq pointer to prevent a potential NULL-pointer dereference.

Recommendations As a temporary workaround, consider disabling the ufshcd mcq abort() function until a patch is available. Restrict access to the ufshcd mcq req to hwq() function to minimize the risk of exploitation. Avoid using the rq->mq hctx variable in the affected code path until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.