CVE-2025-38658

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified)

Description: The Linux kernel contains a flaw within the nvmet PCI-EPF subsystem where commands may be completed twice if nvmet req init() fails. This double completion can corrupt the state of the PCI NVMe target, potentially leading to a kernel oops. The issue occurs when an unsupported opcode is sent, such as the admin command "security receive" using nvme-cli. Specifically, the nvmet req init() function calls nvmet req complete() upon failure, which then calls nvmet pci epf queue response(). This function, under certain conditions, calls nvmet pci epf complete iod() resulting in a double completion as nvmet pci epf exec iod work() also calls nvmet pci epf complete iod() when nvmet req init() fails.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.