CVE-2025-40343
Description
In the Linux kernel, the following vulnerability has been resolved:
nvmet-fc: avoid scheduling association deletion twice
When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion.
The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion.
Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Linux kernel nvmet-fc driver allows scheduling association deletion twice, leading to a use-after-free when shutting down a port.
Vulnerability
CVE-2025-40343 is a use-after-free vulnerability in the Linux kernel's NVMe over Fabrics target (nvmet-fc) driver. The bug occurs during forceful shutdown of a port via the configfs interface: nvmet_port_subsys_drop_link() calls both nvmet_port_del_ctrls() and nvmet_disable_port(), each of which independently schedules deletion of all remaining associations [1]. The code only checks if an association is about to be removed after the work item has already been scheduled, allowing the same work item to be queued twice.
Exploitation
An attacker with local access and the ability to manage NVMe over Fabrics associations could trigger this double-scheduling by initiating a port shutdown. No special privileges beyond configfs manipulation are required [2]. The race window is narrow but deterministic in the presence of concurrent deletion operations.
Impact
When the same association deletion work runs twice, it can free resources already freed by the first run, leading to a use-after-free condition. This can crash the kernel (denial of service) or potentially allow local privilege escalation [3].
Mitigation
The fix, introduced in kernel commits [1], [2], [3], and [4], adds a terminating flag to the association structure. This flag is set before scheduling the deletion work item, and subsequent attempts to schedule it are blocked, preventing the double-scheduling race condition.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
62f4852db87e285e2ce1920cb601ed47b236304d17540ef51c09ac9a63fc3f2537be4f842Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/04d17540ef51e2c291eb863ca87fd332259b2d40nvd
- git.kernel.org/stable/c/2f4852db87e25d4e226b25cb6f652fef9504360envd
- git.kernel.org/stable/c/601ed47b2363c24d948d7bac0c23abc8bd459570nvd
- git.kernel.org/stable/c/85e2ce1920cb511d57aae59f0df6ff85b28bf04dnvd
- git.kernel.org/stable/c/c09ac9a63fc3aaf4670ad7b5e4f5afd764424154nvd
- git.kernel.org/stable/c/f2537be4f8421f6495edfa0bc284d722f253841dnvd
News mentions
0No linked articles in our index yet.