CVE-2025-68782

Vulnerability

Overview

In the Linux kernel's SCSI target subsystem, a null pointer dereference vulnerability exists in the error handling path of command descriptor block (CDB) allocation. When the allocation of cmd->t_task_cdb fails, the pointer remains NULL. However, the error path subsequently dereferences this pointer, leading to a kernel crash [1].

Root

Cause and Exploitation

The root cause is a missing reset of the t_task_cdb pointer to the default fixed-size buffer in the allocation failure case. The kernel's SCSI target code allocates a separate the CDB buffer from the command structure; if the dynamic allocation fails, the pointer is left NULL. The error path attempts to use it. An attacker with the ability to trigger CDB allocation failures (e.g., by exhausting memory or via crafted SCSI commands) could exploit this to cause a denial-of-service (DoS) via a kernel panic [2].

Impact

Successful exploitation results in a kernel crash, leading to a denial-of-service condition. The vulnerability is local in scope, requiring access to the SCSI target subsystem, but does not require authentication beyond normal system access. No privilege escalation or data corruption is indicated [3].

Mitigation

The fix resets the t_task_cdb pointer to the default fixed-size buffer when allocation fails, preventing the null dereference. The patch has been applied to the stable kernel branches. Users should update to a kernel version containing the fix or apply the relevant patch [1][2][3].