CVE-2025-68331
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer
When a UAS device is unplugged during data transfer, there is a probability of a system panic occurring. The root cause is an access to an invalid memory address during URB callback handling. Specifically, this happens when the dma_direct_unmap_sg() function is called within the usb_hcd_unmap_urb_for_dma() interface, but the sg->dma_address field is 0 and the sg data structure has already been freed.
The SCSI driver sends transfer commands by invoking uas_queuecommand_lck() in uas.c, using the uas_submit_urbs() function to submit requests to USB. Within the uas_submit_urbs() implementation, three URBs (sense_urb, data_urb, and cmd_urb) are sequentially submitted. Device removal may occur at any point during uas_submit_urbs execution, which may result in URB submission failure. However, some URBs might have been successfully submitted before the failure, and uas_submit_urbs will return the -ENODEV error code in this case. The current error handling directly calls scsi_done(). In the SCSI driver, this eventually triggers scsi_complete() to invoke scsi_end_request() for releasing the sgtable. The successfully submitted URBs, when being unlinked to giveback, call usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg unmapping operations since the sg data structure has already been freed.
This patch modifies the error condition check in the uas_submit_urbs() function. When a UAS device is removed but one or more URBs have already been successfully submitted to USB, it avoids immediately invoking scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully submitted URBs is completed before devinfo->resetting being set, then the scsi_done() function will be called within uas_try_complete() after all pending URB operations are finalized. Otherwise, the scsi_done() function will be called within uas_zap_pending(), which is executed after usb_kill_anchored_urbs().
The error handling only takes effect when uas_queuecommand_lck() calls uas_submit_urbs() and returns the error value -ENODEV . In this case, the device is disconnected, and the flow proceeds to uas_disconnect(), where uas_zap_pending() is invoked to call uas_try_complete().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in the Linux UAS driver can panic the kernel when a device is unplugged during ongoing URB submission.
Vulnerability
CVE-2025-68331 is a use-after-free vulnerability in the Linux kernel's USB Attached SCSI (UAS) driver (usb/storage/uas.c). When a UAS device is physically removed while data is being transferred, a race condition between URB completion and SCSI command cleanup can lead to accessing freed scatter-gather (sg) memory. Specifically, the driver submits three URBs (sense, data, and command) in sequence; if device removal causes subsequent submissions to fail, the error path may call scsi_done() prematurely, releasing the sgtable before the successfully submitted URBs have completed and been unmapped. When those URBs are later unlinked, usb_hcd_unmap_urb_for_dma() tries to unmap DMA addresses that point into freed sg structures, causing a kernel panic.
Exploitation
Triggering this vulnerability requires an attacker with physical access or the ability to cause a hot-unplug event of a UAS storage device while I/O is in progress. No special privileges are needed beyond the presence of a UAS device and active file system operations (e.g., read/write). The race window exists during the uas_submit_urbs() function, which is called from the SCSI command queue path. The attack surface is limited to systems with USB 3.0 or newer UAS-capable controllers and devices.
Impact
Successful exploitation results in a denial of service (system panic) due to dereferencing an invalid memory address. There is no evidence of code execution or privilege escalation from this bug, but a kernel panic can cause data loss or service disruption in production environments.
Mitigation
The Linux kernel community has released a patch that modifies the error handling in uas_submit_urbs(). Instead of immediately calling scsi_done() when -ENODEV is returned after partial URB submission, the command is saved to a pending list and completed only after all in-flight URBs have been finalized. The fix is included in multiple stable kernel tree commits [1][2][3]. System administrators should apply the latest stable kernel updates for their distribution.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/26d56a9fcb2014b99e654127960aa0a48a391e3cnvd
- git.kernel.org/stable/c/2b90a8131c83f6f2be69397d2b7d14d217d95d2fnvd
- git.kernel.org/stable/c/426edbfc88b22601ea34a441a469092e7b301c52nvd
- git.kernel.org/stable/c/6289fc489e94c9beb6be2b502ccc263663733d72nvd
- git.kernel.org/stable/c/66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17nvd
- git.kernel.org/stable/c/75f8e2643085db4f7e136fc6b368eb114dd80a64nvd
- git.kernel.org/stable/c/e3a55221f4de080cb7a91ba10f01c4f708603f8dnvd
News mentions
0No linked articles in our index yet.