CVE-2025-68331

Name of the Vulnerable Software and Affected Versions Linux Kernel (affected versions not specified)

Description The Linux kernel contains an issue within the USB subsystem related to unmapping URBs (USB Request Blocks) when a UAS (USB Attached SCSI) device is removed during data transfer. Specifically, a system panic can occur due to an invalid memory access during URB callback handling. This happens when the dma direct unmap sg() function is called within the usb hcd unmap urb for dma() interface, but the sg->dma address field is zero and the sg data structure has already been freed. The SCSI driver uses the uas queuecommand lck() function to send transfer commands, which invokes uas submit urbs() to submit requests to USB. Device removal during uas submit urbs() execution can lead to URB submission failure, but previously submitted URBs may still be processed, causing issues during sgtable release and unmapping operations. The fix modifies the error handling in uas submit urbs() to avoid immediately invoking scsi done() when a UAS device is removed and URBs have already been submitted. Instead, it saves the command and calls scsi done() within uas try complete() or uas zap pending() depending on the completion status of the URBs.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.