CVE-2025-40171

Root

Cause The vulnerability resides in the Linux kernel's nvmet-fc (NVMe over Fabrics target for Fibre Channel) subsystem. When the function __nvmet_fc_send_ls_req() dispatches multiple asynchronous Link Service (LS) requests, each request acquires a reference on the tgtport object. However, the code that releases these references was incorrectly structured: only a single work item was queued globally to perform the put operation. Consequently, if multiple LS commands are in flight concurrently, only the last command's reference is released, while the references for preceding commands are leaked [1][2][3].

Exploitation

An attacker capable of sending multiple concurrent LS requests to a vulnerable NVMe-oF target over Fibre Channel can trigger this race condition. No authentication is required beyond network access to the target's Fibre Channel fabric. The flaw is exercised simply by normal command processing; no unusual privileges are needed.

Impact

A successful exploitation results in a reference count leak on the nvmet_fc_tgtport structure. Over time, this leads to memory exhaustion as the leaked references prevent the port from being freed. The kernel may eventually run out of memory, causing a denial-of-service (DoS) condition that disrupts all NVMe-oF operations on the affected system.

Mitigation

The fix moves the put work item from a global schedule to the per-command nvmet_fc_ls_req_op structure, ensuring each command individually cleans up its own reference. The patch has been applied to the stable kernel branches and is available in commits [1], [2], and [3]. Users should update to a kernel version containing the fix.