NVD

CVE-2025-37772 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix workqueue crash in cma_netevent_work_handler struct rdma_cm_id has member "struct work_struct net_work" that is reused for enqueuing cma_netevent_work_handler()s onto cma_wq. Below crash[1] can occur if more than one call to cma_netevent_callback() occurs in quick succession, which further enqueues cma_netevent_work_handler()s for the same rdma_cm_id, overwriting any previously queued work-item(s) that was just scheduled to run i.e. there is no guarantee the queued work item may run between two successive calls to cma_netevent_callback() and the 2nd INIT_WORK would overwrite the 1st work item (for the same rdma_cm_id), despite grabbing id_table_lock during enqueue. Also drgn analysis [2] indicates the work item was likely overwritten. Fix this by moving the INIT_WORK() to __rdma_create_id(), so that it doesn't race with any existing queue_work() or its worker thread. [1] Trimmed crash stack: ============================================= BUG: kernel NULL pointer dereference, address: 0000000000000008 kworker/u256:6 ... 6.12.0-0... Workqueue: cma_netevent_work_handler [rdma_cm] (rdma_cm) RIP: 0010:process_one_work+0xba/0x31a Call Trace: worker_thread+0x266/0x3a0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 ============================================= [2] drgn crash analysis: >>> trace = prog.crashed_thread().stack_trace() >>> trace (0) crash_setup_regs (./arch/x86/include/asm/kexec.h:111:15) (1) __crash_kexec (kernel/crash_core.c:122:4) (2) panic (kernel/panic.c:399:3) (3) oops_end (arch/x86/kernel/dumpstack.c:382:3) ... (8) process_one_work (kernel/workqueue.c:3168:2) (9) process_scheduled_works (kernel/workqueue.c:3310:3) (10) worker_thread (kernel/workqueue.c:3391:4) (11) kthread (kernel/kthread.c:389:9) Line workqueue.c:3168 for this kernel version is in process_one_work(): 3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN); >>> trace[8]["work"] *(struct work_struct *)0xffff92577d0a21d8 = { .data = (atomic_long_t){ .counter = (s64)536870912, <=== Note }, .entry = (struct list_head){ .next = (struct list_head *)0xffff924d075924c0, .prev = (struct list_head *)0xffff924d075924c0, }, .func = (work_func_t)cma_netevent_work_handler+0x0 = 0xffffffffc2cec280, } Suspicion is that pwq is NULL: >>> trace[8]["pwq"] (struct pool_workqueue *)<absent> In process_one_work(), pwq is assigned from: struct pool_workqueue *pwq = get_work_pwq(work); and get_work_pwq() is: static struct pool_workqueue *get_work_pwq(struct work_struct *work) { unsigned long data = atomic_long_read(&work->data); if (data & WORK_STRUCT_PWQ) return work_struct_pwq(data); else return NULL; } WORK_STRUCT_PWQ is 0x4: >>> print(repr(prog['WORK_STRUCT_PWQ'])) Object(prog, 'enum work_flags', value=4) But work->data is 536870912 which is 0x20000000. So, get_work_pwq() returns NULL and we crash in process_one_work(): 3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN); =============================================

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: 5.5 MEDIUM

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/45f5dcdd049719fb999393b30679605f16ebce14	kernel.org	Patch
https://git.kernel.org/stable/c/51003b2c872c63d28bcf5fbcc52cf7b05615f7b7	kernel.org	Patch
https://git.kernel.org/stable/c/b172a4a0de254f1fcce7591833a9a63547c2f447	kernel.org	Patch
https://git.kernel.org/stable/c/c2b169fc7a12665d8a675c1ff14bca1b9c63fb9a	kernel.org	Patch
https://git.kernel.org/stable/c/d23fd7a539ac078df119707110686a5b226ee3bb	kernel.org	Patch
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html	CVE	Mailing List

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-476	NULL Pointer Dereference	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

CVE Modified by kernel.org 6/17/2026 5:15:24 AM

Action

Type

Old Value

New Value

Added

Affected

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/infiniband/core/cma.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"925d046e7e52c71c3531199ce137e141807ef740","lessThan":"51003b2c872c63d28bcf5fbcc52cf7b05615f7b7","versionType":"git","status":"affected"},{"version":"925d046e7e52c71c3531199ce137e141807ef740","lessThan":"c2b169fc7a12665d8a675c1ff14bca1b9c63fb9a","versionType":"git","status":"affected"},{"version":"925d046e7e52c71c3531199ce137e141807ef740","lessThan":"d23fd7a539ac078df119707110686a5b226ee3bb","versionType":"git","status":"affected"},{"version":"925d046e7e52c71c3531199ce137e141807ef740","lessThan":"b172a4a0de254f1fcce7591833a9a63547c2f447","versionType":"git","status":"affected"},{"version":"925d046e7e52c71c3531199ce137e141807ef740","lessThan":"45f5dcdd049719fb999393b30679605f16ebce14","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/infiniband/core/cma.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","versionType":"semver","status":"unaffected"},{"version":"6.1.135","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.88","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.25","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.14.4","lessThanOrEqual":"6.14.*","versionType":"semver","status":"unaffected"},{"version":"6.15","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

Initial Analysis by NIST 11/05/2025 12:49:53 PM

Action	Type	New Value
Added	CVSS V3.1	AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Added	CWE	CWE-476
Added	CPE Configuration	OR cpe:2.3:o:debian:debian_linux:11.0:::::::
Added	CPE Configuration	OR cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.2 up to (excluding) 6.6.88 cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::* cpe:2.3:o:linux:linux_kernel:6.15:rc2::::::* cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.0 up to (excluding) 6.1.135 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.7 up to (excluding) 6.12.25 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.13 up to (excluding) 6.14.4
Added	Reference Type	CVE: https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html Types: Mailing List
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/45f5dcdd049719fb999393b30679605f16ebce14 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/51003b2c872c63d28bcf5fbcc52cf7b05615f7b7 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/b172a4a0de254f1fcce7591833a9a63547c2f447 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/c2b169fc7a12665d8a675c1ff14bca1b9c63fb9a Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/d23fd7a539ac078df119707110686a5b226ee3bb Types: Patch

New CVE Received from kernel.org 5/01/2025 10:15:40 AM

Action	Type	New Value
Added	Description	Record truncated, showing 2048 of 3095 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix workqueue crash in cma_netevent_work_handler struct rdma_cm_id has member "struct work_struct net_work" that is reused for enqueuing cma_netevent_work_handler()s onto cma_wq. Below crash[1] can occur if more than one call to cma_netevent_callback() occurs in quick succession, which further enqueues cma_netevent_work_handler()s for the same rdma_cm_id, overwriting any previously queued work-item(s) that was just scheduled to run i.e. there is no guarantee the queued work item may run between two successive calls to cma_netevent_callback() and the 2nd INIT_WORK would overwrite the 1st work item (for the same rdma_cm_id), despite grabbing id_table_lock during enqueue. Also drgn analysis [2] indicates the work item was likely overwritten. Fix this by moving the INIT_WORK() to __rdma_create_id(), so that it doesn't race with any existing queue_work() or its worker thread. [1] Trimmed crash stack: ============================================= BUG: kernel NULL pointer dereference, address: 0000000000000008 kworker/u256:6 ... 6.12.0-0... Workqueue: cma_netevent_work_handler [rdma_cm] (rdma_cm) RIP: 0010:process_one_work+0xba/0x31a Call Trace: worker_thread+0x266/0x3a0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 ============================================= [2] drgn crash analysis: >>> trace = prog.crashed_thread().stack_trace() >>> trace (0) crash_setup_regs (./arch/x86/include/asm/kexec.h:111:15) (1) __crash_kexec (kernel/crash_core.c:122:4) (2) panic (kernel/panic.c:399:3) (3) oops_end (arch/x86/kernel/dumpstack.c:382:3) ... (8) process_one_work (kernel/workqueue.c:3168:2) (9) process_scheduled_works (kernel/workqueue.c:3310:3) (10) worker_thread (kernel/workqueue.c:3391:4) (11) kthread (kernel/kthread.c:389:9) Line workqueue.c:3168 for this kernel version is in process_one_work(): 3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN); >>> trace[8]["work"] (struct work_struct )0xffff9
Added	Reference	https://git.kernel.org/stable/c/45f5dcdd049719fb999393b30679605f16ebce14
Added	Reference	https://git.kernel.org/stable/c/51003b2c872c63d28bcf5fbcc52cf7b05615f7b7
Added	Reference	https://git.kernel.org/stable/c/b172a4a0de254f1fcce7591833a9a63547c2f447
Added	Reference	https://git.kernel.org/stable/c/c2b169fc7a12665d8a675c1ff14bca1b9c63fb9a
Added	Reference	https://git.kernel.org/stable/c/d23fd7a539ac078df119707110686a5b226ee3bb

Quick Info

CVE Dictionary Entry:
CVE-2025-37772
NVD Published Date:
05/01/2025
NVD Last Modified:
06/17/2026
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2025-37772 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

CVE Modified by kernel.org 6/17/2026 5:15:24 AM

Initial Analysis by NIST 11/05/2025 12:49:53 PM

CVE Modified by CVE 11/03/2025 3:18:33 PM

New CVE Received from kernel.org 5/01/2025 10:15:40 AM

Quick Info