[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-38211":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":23,"related":24,"reserved_at":9,"published_at":25,"modified_at":26,"state":9,"summary":27,"references_raw":29,"kevs":36,"epss":9,"epss_history":37,"metrics":38,"affected":45},"DEBIAN-CVE-2025-38211","In the Linux kernel, the following vulnerability has been resolved:  RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction  The commit 59c68ac31e15 (\"iw_cm: free cm_id resources on the last deref\") simplified cm_id resource management by freeing cm_id once all references to the cm_id were removed. The references are removed either upon completion of iw_cm event handlers or when the application destroys the cm_id. This commit introduced the use-after-free condition where cm_id_private object could still be in use by event handler works during the destruction of cm_id. The commit aee2424246f9 (\"RDMA/iwcm: Fix a use-after-free related to destroying CM IDs\") addressed this use-after- free by flushing all pending works at the cm_id destruction.  However, still another use-after-free possibility remained. It happens with the work objects allocated for each cm_id_priv within alloc_work_entries() during cm_id creation, and subsequently freed in dealloc_work_entries() once all references to the cm_id are removed. If the cm_id's last reference is decremented in the event handler work, the work object for the work itself gets removed, and causes the use- after-free BUG below:    BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250   Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091    CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014   Workqueue:  0x0 (iw_cm_wq)   Call Trace:    \u003CTASK>    dump_stack_lvl+0x6a/0x90    print_report+0x174/0x554    ? __virt_addr_valid+0x208/0x430    ? __pwq_activate_work+0x1ff/0x250    kasan_report+0xae/0x170    ? __pwq_activate_work+0x1ff/0x250    __pwq_activate_work+0x1ff/0x250    pwq_dec_nr_in_flight+0x8c5/0xfb0    process_one_work+0xc11/0x1460    ? __pfx_process_one_work+0x10/0x10    ? assign_work+0x16c/0x240    worker_thread+0x5ef/0xfd0    ? __pfx_worker_thread+0x10/0x10    kthread+0x3b0/0x770    ? __pfx_kthread+0x10/0x10    ? rcu_is_watching+0x11/0xb0    ? _raw_spin_unlock_irq+0x24/0x50    ? rcu_is_watching+0x11/0xb0    ? __pfx_kthread+0x10/0x10    ret_from_fork+0x30/0x70    ? __pfx_kthread+0x10/0x10    ret_from_fork_asm+0x1a/0x30    \u003C/TASK>    Allocated by task 147416:    kasan_save_stack+0x2c/0x50    kasan_save_track+0x10/0x30    __kasan_kmalloc+0xa6/0xb0    alloc_work_entries+0xa9/0x260 [iw_cm]    iw_cm_connect+0x23/0x4a0 [iw_cm]    rdma_connect_locked+0xbfd/0x1920 [rdma_cm]    nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]    cma_cm_event_handler+0xae/0x320 [rdma_cm]    cma_work_handler+0x106/0x1b0 [rdma_cm]    process_one_work+0x84f/0x1460    worker_thread+0x5ef/0xfd0    kthread+0x3b0/0x770    ret_from_fork+0x30/0x70    ret_from_fork_asm+0x1a/0x30    Freed by task 147091:    kasan_save_stack+0x2c/0x50    kasan_save_track+0x10/0x30    kasan_save_free_info+0x37/0x60    __kasan_slab_free+0x4b/0x70    kfree+0x13a/0x4b0    dealloc_work_entries+0x125/0x1f0 [iw_cm]    iwcm_deref_id+0x6f/0xa0 [iw_cm]    cm_work_handler+0x136/0x1ba0 [iw_cm]    process_one_work+0x84f/0x1460    worker_thread+0x5ef/0xfd0    kthread+0x3b0/0x770    ret_from_fork+0x30/0x70    ret_from_fork_asm+0x1a/0x30    Last potentially related work creation:    kasan_save_stack+0x2c/0x50    kasan_record_aux_stack+0xa3/0xb0    __queue_work+0x2ff/0x1390    queue_work_on+0x67/0xc0    cm_event_handler+0x46a/0x820 [iw_cm]    siw_cm_upcall+0x330/0x650 [siw]    siw_cm_work_handler+0x6b9/0x2b20 [siw]    process_one_work+0x84f/0x1460    worker_thread+0x5ef/0xfd0    kthread+0x3b0/0x770    ret_from_fork+0x30/0x70    ret_from_fork_asm+0x1a/0x30  This BUG is reproducible by repeating the blktests test case nvme/061 for the rdma transport and the siw driver.  To avoid the use-after-free of cm_id_private work objects, ensure that the last reference to the cm_id is decremented not in the event handler works, but in the cm_id destruction context. For that purpose, mo ---truncated---",null,[],[],[],[14],{"_key":15},"CVE-2025-38211",[17,19,21],{"_key":18},"DLA-4327-1",{"_key":20},"DLA-4328-1",{"_key":22},"DSA-5973-1",[],[],"2025-07-04T14:15:29.337Z","2026-04-28T20:29:54.128067Z",{"cisa_kev":28,"cisa_ransomware":28,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[30],{"url":31,"sources":32,"tags":34},"https://security-tracker.debian.org/tracker/CVE-2025-38211",[33],"osv_debian",[35],"Advisory",[],[],[39],{"source":33,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":40,"cvss_v4_0":9},{"baseScore":41,"baseSeverity":9,"vectorString":42,"impactScore":43,"exploitabilityScore":44},7.8,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,4.6,[46,65],{"ecosystem":47,"name":48,"vendor":49,"product":48,"cpe_part":9,"purl_type":50,"purl_namespace":49,"purl_name":48,"source":9,"versions":51},"Debian","linux","debian","deb",[52,58,61,64],{"version":53,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":56,"version_end_type":57,"fixed_in":9},"lt5_10_244_1",true,"ecosystem","5.10.244-1","excluding",{"version":59,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":60,"version_end_type":57,"fixed_in":9},"lt6_1_147_1","6.1.147-1",{"version":62,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":63,"version_end_type":57,"fixed_in":9},"lt6_12_35_1","6.12.35-1",{"version":62,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":63,"version_end_type":57,"fixed_in":9},{"ecosystem":47,"name":66,"vendor":49,"product":66,"cpe_part":9,"purl_type":50,"purl_namespace":49,"purl_name":66,"source":9,"versions":67},"linux-6.1",[68],{"version":69,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":70,"version_end_type":57,"fixed_in":9},"lt6_1_153_1~deb11u1","6.1.153-1~deb11u1"]