{"id":"CVE-2025-37906","summary":"ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd\n\nublk_cancel_cmd() calls io_uring_cmd_done() to complete uring_cmd, but\nwe may have scheduled task work via io_uring_cmd_complete_in_task() for\ndispatching request, then kernel crash can be triggered.\n\nFix it by not trying to canceling the command if ublk block request is\nstarted.","modified":"2026-04-02T12:47:36.592152Z","published":"2025-05-20T15:21:39.633Z","related":["CGA-v9r9-5qh7-873q"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37906.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/f40139fde5278d81af3227444fd6e76a76b9506d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fb2eb9ddf556f93fef45201e1f9d2b8674bcc975"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37906.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37906"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"216c8f5ef0f209a3797292c487bdaa6991ab4b92"},{"fixed":"fb2eb9ddf556f93fef45201e1f9d2b8674bcc975"},{"fixed":"f40139fde5278d81af3227444fd6e76a76b9506d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37906.json"}}],"schema_version":"1.7.5"}