CVE-2025-22083: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. Use-after-free when no tpgs are found: This fixes a use after free that occurs when vhost_scsi_set_endpoint is called more than once and calls after the first call do not find any tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds tpgs to add to the vs_tpg array match=true, so we will do: vhost_vq_set_backend(vq, vs_tpg); ... kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If vhost_scsi_set_endpoint is called again and no tpgs are found match=false so we skip the vhost_vq_set_backend call leaving the pointer to the vs_tpg we then free via: kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If a scsi request is then sent we do: vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend which sees the vs_tpg we just did a kfree on. 2. Tpg dir removal hang: This patch fixes an issue where we cannot remove a LIO/target layer tpg (and structs above it like the target) dir due to the refcount dropping to -1. The problem is that if vhost_scsi_set_endpoint detects a tpg is already in the vs->vs_tpg array or if the tpg has been removed so target_depend_item fails, the undepend goto handler will do target_undepend_item on all tpgs in the vs_tpg array dropping their refcount to 0. At this time vs_tpg contains both the tpgs we have added in the current vhost_scsi_set_endpoint call as well as tpgs we added in previous calls which are also in vs->vs_tpg. Later, when vhost_scsi_clear_endpoint runs it will do target_undepend_item on all the tpgs in the vs->vs_tpg which will drop their refcount to -1. Userspace will then not be able to remove the tpg and will hang when it tries to do rmdir on the tpg dir. 3. Tpg leak: This fixes a bug where we can leak tpgs and cause them to be un-removable because the target name is overwritten when vhost_scsi_set_endpoint is called multiple times but with different target names. The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup a vhost-scsi device to target/tpg mapping, then calls VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we haven't seen before (target1 has tpg1 but target2 has tpg2). When this happens we don't teardown the old target tpg mapping and just overwrite the target name and the vs->vs_tpg array. Later when we do vhost_scsi_clear_endpoint, we are passed in either target1 or target2's name and we will only match that target's tpgs when we loop over the vs->vs_tpg. We will then return from the function without doing target_undepend_item on the tpgs. Because of all these bugs, it looks like being able to call vhost_scsi_set_endpoint multiple times was never supported. The major user, QEMU, already has checks to prevent this use case. So to fix the issues, this patch prevents vhost_scsi_set_endpoint from being called if it's already successfully added tpgs. To add, remove or change the tpg config or target name, you must do a vhost_scsi_clear_endpoint first.
AI Analysis
Technical Summary
CVE-2025-22083 is a vulnerability in the Linux kernel's vhost-scsi subsystem, which is used to accelerate SCSI device emulation in virtualized environments, notably QEMU. The vulnerability arises from improper handling of multiple calls to the function vhost_scsi_set_endpoint without an intervening call to vhost_scsi_clear_endpoint. This misuse leads to several critical bugs: (1) a use-after-free condition when no target portal groups (tpgs) are found on subsequent calls, causing the kernel to reference freed memory during SCSI request handling; (2) a hang condition when attempting to remove Logical Unit Number (LIO) target portal group directories due to reference count underflow (dropping to -1), which prevents userspace from removing these directories and causes operations like rmdir to hang; (3) a resource leak where tpgs become unremovable because the target name is overwritten without proper teardown of the previous target mapping, leading to stale references and memory/resource leaks. The root cause is that multiple calls to vhost_scsi_set_endpoint were never supported, but the code did not enforce this, allowing inconsistent internal state and reference counting errors. The patch fixes these issues by preventing multiple calls to vhost_scsi_set_endpoint without a preceding vhost_scsi_clear_endpoint, enforcing proper teardown before reconfiguration. This vulnerability affects Linux kernel versions identified by the commit hash 4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 and likely other versions containing the same code pattern. The vulnerability is particularly relevant for environments using vhost-scsi for virtualized storage, such as cloud providers and enterprises running KVM/QEMU virtualization with SCSI passthrough or emulation. No known exploits are reported in the wild as of publication, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2025-22083 can be significant, especially for those relying on Linux-based virtualization infrastructure using vhost-scsi for storage virtualization. The use-after-free vulnerability can lead to kernel crashes or potential escalation of privileges if exploited, compromising confidentiality, integrity, and availability of virtualized workloads. The hang condition on tpg directory removal can cause operational disruptions, preventing proper cleanup of storage targets and potentially leading to resource exhaustion or degraded system performance. The resource leak can accumulate over time, causing memory pressure and instability in virtualization hosts. Organizations running cloud services, data centers, or private clouds with Linux KVM/QEMU virtualization are at risk of service outages or data exposure if attackers manage to trigger these bugs. Although exploitation requires specific conditions (multiple calls to vhost_scsi_set_endpoint without clearing endpoints), misconfigured or malicious userspace components could inadvertently or intentionally trigger these issues. This vulnerability could also complicate incident response and recovery due to the hang and leak conditions. Overall, the threat undermines the reliability and security of virtualized storage environments critical to European enterprises' IT infrastructure.
Mitigation Recommendations
To mitigate CVE-2025-22083, European organizations should: 1) Apply the official Linux kernel patches that enforce the restriction on multiple calls to vhost_scsi_set_endpoint without clearing endpoints, ensuring the internal state remains consistent and reference counts are properly managed. 2) Audit and update virtualization management tools and scripts to ensure they do not invoke vhost_scsi_set_endpoint multiple times without clearing endpoints, particularly in custom or legacy automation. 3) Monitor kernel logs for signs of use-after-free or reference count errors related to vhost-scsi, which may indicate attempts to exploit or trigger the vulnerability. 4) Implement strict access controls and validation on userspace components interacting with vhost-scsi to prevent malformed or malicious calls. 5) Conduct thorough testing of virtualization environments after patching to verify that storage target removal and reconfiguration operations function correctly without hangs or leaks. 6) Consider isolating critical virtualized workloads on hosts with updated kernels to minimize risk exposure. 7) Engage with Linux distribution vendors to obtain timely security updates and backports for affected kernel versions. These steps go beyond generic advice by focusing on the specific function call patterns and operational procedures that trigger the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-22083: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. Use-after-free when no tpgs are found: This fixes a use after free that occurs when vhost_scsi_set_endpoint is called more than once and calls after the first call do not find any tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds tpgs to add to the vs_tpg array match=true, so we will do: vhost_vq_set_backend(vq, vs_tpg); ... kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If vhost_scsi_set_endpoint is called again and no tpgs are found match=false so we skip the vhost_vq_set_backend call leaving the pointer to the vs_tpg we then free via: kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If a scsi request is then sent we do: vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend which sees the vs_tpg we just did a kfree on. 2. Tpg dir removal hang: This patch fixes an issue where we cannot remove a LIO/target layer tpg (and structs above it like the target) dir due to the refcount dropping to -1. The problem is that if vhost_scsi_set_endpoint detects a tpg is already in the vs->vs_tpg array or if the tpg has been removed so target_depend_item fails, the undepend goto handler will do target_undepend_item on all tpgs in the vs_tpg array dropping their refcount to 0. At this time vs_tpg contains both the tpgs we have added in the current vhost_scsi_set_endpoint call as well as tpgs we added in previous calls which are also in vs->vs_tpg. Later, when vhost_scsi_clear_endpoint runs it will do target_undepend_item on all the tpgs in the vs->vs_tpg which will drop their refcount to -1. Userspace will then not be able to remove the tpg and will hang when it tries to do rmdir on the tpg dir. 3. Tpg leak: This fixes a bug where we can leak tpgs and cause them to be un-removable because the target name is overwritten when vhost_scsi_set_endpoint is called multiple times but with different target names. The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup a vhost-scsi device to target/tpg mapping, then calls VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we haven't seen before (target1 has tpg1 but target2 has tpg2). When this happens we don't teardown the old target tpg mapping and just overwrite the target name and the vs->vs_tpg array. Later when we do vhost_scsi_clear_endpoint, we are passed in either target1 or target2's name and we will only match that target's tpgs when we loop over the vs->vs_tpg. We will then return from the function without doing target_undepend_item on the tpgs. Because of all these bugs, it looks like being able to call vhost_scsi_set_endpoint multiple times was never supported. The major user, QEMU, already has checks to prevent this use case. So to fix the issues, this patch prevents vhost_scsi_set_endpoint from being called if it's already successfully added tpgs. To add, remove or change the tpg config or target name, you must do a vhost_scsi_clear_endpoint first.
AI-Powered Analysis
Technical Analysis
CVE-2025-22083 is a vulnerability in the Linux kernel's vhost-scsi subsystem, which is used to accelerate SCSI device emulation in virtualized environments, notably QEMU. The vulnerability arises from improper handling of multiple calls to the function vhost_scsi_set_endpoint without an intervening call to vhost_scsi_clear_endpoint. This misuse leads to several critical bugs: (1) a use-after-free condition when no target portal groups (tpgs) are found on subsequent calls, causing the kernel to reference freed memory during SCSI request handling; (2) a hang condition when attempting to remove Logical Unit Number (LIO) target portal group directories due to reference count underflow (dropping to -1), which prevents userspace from removing these directories and causes operations like rmdir to hang; (3) a resource leak where tpgs become unremovable because the target name is overwritten without proper teardown of the previous target mapping, leading to stale references and memory/resource leaks. The root cause is that multiple calls to vhost_scsi_set_endpoint were never supported, but the code did not enforce this, allowing inconsistent internal state and reference counting errors. The patch fixes these issues by preventing multiple calls to vhost_scsi_set_endpoint without a preceding vhost_scsi_clear_endpoint, enforcing proper teardown before reconfiguration. This vulnerability affects Linux kernel versions identified by the commit hash 4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 and likely other versions containing the same code pattern. The vulnerability is particularly relevant for environments using vhost-scsi for virtualized storage, such as cloud providers and enterprises running KVM/QEMU virtualization with SCSI passthrough or emulation. No known exploits are reported in the wild as of publication, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2025-22083 can be significant, especially for those relying on Linux-based virtualization infrastructure using vhost-scsi for storage virtualization. The use-after-free vulnerability can lead to kernel crashes or potential escalation of privileges if exploited, compromising confidentiality, integrity, and availability of virtualized workloads. The hang condition on tpg directory removal can cause operational disruptions, preventing proper cleanup of storage targets and potentially leading to resource exhaustion or degraded system performance. The resource leak can accumulate over time, causing memory pressure and instability in virtualization hosts. Organizations running cloud services, data centers, or private clouds with Linux KVM/QEMU virtualization are at risk of service outages or data exposure if attackers manage to trigger these bugs. Although exploitation requires specific conditions (multiple calls to vhost_scsi_set_endpoint without clearing endpoints), misconfigured or malicious userspace components could inadvertently or intentionally trigger these issues. This vulnerability could also complicate incident response and recovery due to the hang and leak conditions. Overall, the threat undermines the reliability and security of virtualized storage environments critical to European enterprises' IT infrastructure.
Mitigation Recommendations
To mitigate CVE-2025-22083, European organizations should: 1) Apply the official Linux kernel patches that enforce the restriction on multiple calls to vhost_scsi_set_endpoint without clearing endpoints, ensuring the internal state remains consistent and reference counts are properly managed. 2) Audit and update virtualization management tools and scripts to ensure they do not invoke vhost_scsi_set_endpoint multiple times without clearing endpoints, particularly in custom or legacy automation. 3) Monitor kernel logs for signs of use-after-free or reference count errors related to vhost-scsi, which may indicate attempts to exploit or trigger the vulnerability. 4) Implement strict access controls and validation on userspace components interacting with vhost-scsi to prevent malformed or malicious calls. 5) Conduct thorough testing of virtualization environments after patching to verify that storage target removal and reconfiguration operations function correctly without hangs or leaks. 6) Consider isolating critical virtualized workloads on hosts with updated kernels to minimize risk exposure. 7) Engage with Linux distribution vendors to obtain timely security updates and backports for affected kernel versions. These steps go beyond generic advice by focusing on the specific function call patterns and operational procedures that trigger the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.816Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe8062
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 8:58:35 PM
Last updated: 8/11/2025, 9:13:14 PM
Views: 11
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.