CVE-2025-40261
Description
In the Linux kernel, the following vulnerability has been resolved:
nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
nvme_fc_delete_assocation() waits for pending I/O to complete before returning, and an error can cause ->ioerr_work to be queued after cancel_work_sync() had been called. Move the call to cancel_work_sync() to be after nvme_fc_delete_association() to ensure ->ioerr_work is not running when the nvme_fc_ctrl object is freed. Otherwise the following can occur:
[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL [ 1135.917705] ------------[ cut here ]------------ [ 1135.922336] kernel BUG at lib/list_debug.c:52! [ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary) [ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025 [ 1135.950969] Workqueue: 0x0 (nvme-wq) [ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f [ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b [ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046 [ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000 [ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0 [ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08 [ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100 [ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0 [ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000 [ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0 [ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 1136.055910] PKRU: 55555554 [ 1136.058623] Call Trace: [ 1136.061074] [ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.071898] ? move_linked_works+0x4a/0xa0 [ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.081744] ? __die_body.cold+0x8/0x12 [ 1136.085584] ? die+0x2e/0x50 [ 1136.088469] ? do_trap+0xca/0x110 [ 1136.091789] ? do_error_trap+0x65/0x80 [ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.101289] ? exc_invalid_op+0x50/0x70 [ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20 [ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.120806] move_linked_works+0x4a/0xa0 [ 1136.124733] worker_thread+0x216/0x3a0 [ 1136.128485] ? __pfx_worker_thread+0x10/0x10 [ 1136.132758] kthread+0xfa/0x240 [ 1136.135904] ? __pfx_kthread+0x10/0x10 [ 1136.139657] ret_from_fork+0x31/0x50 [ 1136.143236] ? __pfx_kthread+0x10/0x10 [ 1136.146988] ret_from_fork_asm+0x1a/0x30 [ 1136.150915]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Linux NVMe-over-FC driver due to ioerr_work being queued after cancel_work_sync, fixed by reordering cleanup.
Root
Cause
In the Linux kernel's NVMe-over-Fibre Channel (nvme-fc) driver, the nvme_fc_delete_ctrl() function could trigger a use-after-free because cancel_work_sync() was called before nvme_fc_delete_association(). The latter waits for pending I/O to complete, but an error during that wait could cause ->ioerr_work to be queued after the work had already been cancelled. This left the work item running after the nvme_fc_ctrl object was freed, leading to a corrupted list and a kernel BUG [1].
Exploitation
An attacker with the ability to trigger an I/O error on an NVMe-over-FC connection (e.g., by causing a link failure or sending malformed frames) could cause the driver to queue ioerr_work during controller teardown. No special privileges are required beyond access to the FC fabric, but the attack surface is limited to systems using the nvme-fc transport. The race window is narrow, but the crash is reliably reproducible under the right conditions [1].
Impact
A successful exploit leads to a kernel panic (Oops) with a list_del corruption error, resulting in a denial of service (DoS) on the affected system. The crash trace shows a BUG at lib/list_debug.c:52, confirming memory corruption. No privilege escalation or data leakage is described; the primary impact is system instability and potential downtime [1].
Mitigation
The fix, committed to the Linux kernel stable tree, moves cancel_work_sync() to after nvme_fc_delete_association(), ensuring that ioerr_work cannot be queued after cancellation. Patched versions are available in the stable kernel branches; users should update to kernels containing commit 3f48cd7f35da, 33f64600a120, or fbd5741a556e [1e55 [1][2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
73d78e8e0125160ba31330faf9610a2c162ef33f64600a12048ae433c6cc6fbd5741a556e0a2c5495b6d1Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- git.kernel.org/stable/c/0a2c5495b6d1ecb0fa18ef6631450f391a888256nvd
- git.kernel.org/stable/c/33f64600a12055219bda38b55320c62cdeda9167nvd
- git.kernel.org/stable/c/3f48cd7f35da07fc067cef926bb7f6f4735de37bnvd
- git.kernel.org/stable/c/48ae433c6cc6985f647b1b37d8bb002972cf9bdbnvd
- git.kernel.org/stable/c/60ba31330faf5677e2eebef7eac62ea9e42a200dnvd
- git.kernel.org/stable/c/9610a2c162ef729a3988213a4604376e492f6f44nvd
- git.kernel.org/stable/c/fbd5741a556eaaa63d0908132ca79d335b58b1cdnvd
News mentions
0No linked articles in our index yet.