CVE-2025-68229
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we attempt to dereference it in tcm_loop_tpg_address_show() we will get a segfault, see below for an example. So, check tl_hba->sh before dereferencing it.
Unable to allocate struct scsi_host BUG: kernel NULL pointer dereference, address: 0000000000000194 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024 RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop] ... Call Trace:
configfs_read_iter+0x12d/0x1d0 [configfs] vfs_read+0x1b5/0x300 ksys_read+0x6f/0xf0 ...
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel tcm_loop driver, a null pointer dereference in tcm_loop_tpg_address_show() causes a crash when scsi_host allocation fails.
Vulnerability
Details
In the Linux kernel's tcm_loop driver, a null pointer dereference vulnerability exists in the tcm_loop_tpg_address_show() function. If the allocation of tl_hba->sh fails during tcm_loop_driver_probe(), the pointer remains NULL. Subsequently, when tcm_loop_tpg_address_show() attempts to dereference this pointer, it triggers a kernel NULL pointer dereference, leading to a system crash [1][2][3].
Exploitation
An attacker with access to the configfs filesystem can trigger this vulnerability by reading the tpg_address attribute for a tcm_loop target port group. The attack requires local access to the system but does not require elevated privileges, as configfs attributes are often readable by unprivileged users. The crash occurs immediately upon reading the attribute when the underlying scsi_host allocation has previously failed [1][2][3].
Impact
Successful exploitation results in a kernel NULL pointer dereference, causing a denial-of-service (DoS) condition via system crash. This can be used by an unprivileged attacker to disrupt system availability. The vulnerability is rated with a CVSS score indicating medium severity due to the need for local access and the resulting crash [1][2][3].
Mitigation
The fix for this vulnerability has been implemented in the Linux kernel mainline and backported to stable releases. The patch adds a NULL check for tl_hba->sh before dereferencing it in tcm_loop_tpg_address_show(). Users should update their kernel to a version that includes this fix, such as those containing commits [1], [2], or [3]. No workarounds are available beyond restricting access to configfs or applying the patch [1][2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/13aff3b8a7184281b134698704d6c06863a8361bnvd
- git.kernel.org/stable/c/1c9ba455b5073253ceaadae4859546e38e8261fenvd
- git.kernel.org/stable/c/3d8c517f6eb27e47b1a198e05f8023038329b40bnvd
- git.kernel.org/stable/c/63f511d3855f7f4b35dd63dbc58fc3d935a81268nvd
- git.kernel.org/stable/c/72e8831079266749a7023618a0de2f289a9dced6nvd
- git.kernel.org/stable/c/a6ef60898ddaf1414592ce3e5b0d94276d631663nvd
- git.kernel.org/stable/c/e6965188f84a7883e6a0d3448e86b0cf29b24dfcnvd
- git.kernel.org/stable/c/f449a1edd7a13bb025aaf9342ea6f8bf92684bbfnvd
News mentions
0No linked articles in our index yet.