{
  "threat_severity" : "Important",
  "public_date" : "2025-07-09T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: nvme-tcp: sanitize request list handling",
    "id" : "2378996",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2378996"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-672",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnvme-tcp: sanitize request list handling\nValidate the request in nvme_tcp_handle_r2t() to ensure it's not part of\nany list, otherwise a malicious R2T PDU might inject a loop in request\nlist processing." ],
  "statement" : "The vulnerability lies in the lack of validation for list membership in nvme_tcp_handle_r2t(), potentially allowing malicious R2T PDUs to introduce list corruption or loops. This could lead to denial of service or memory corruption.\nThe Privileges for the CVSS is Low as the attacker only needs access to an NVMe TCP queue, which may be exposed via user-level networking or containerized environments. This bug can be triggered remotely if a Linux system connects to a malicious or compromised NVMe-over-TCP target. The attacker, by crafting a malformed R2T PDU, could cause list corruption in the initiator’s kernel, potentially leading to memory corruption or denial of service. The issue is not locally triggerable by userspace but can be remotely exploited by an attacker controlling the target. The config option CONFIG_NVME_COMMON disabled in all versions of Red Hat Enterprise Linux, so as result all versions are not affected.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12662",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.25.1.el10_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38264\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38264\nhttps://lore.kernel.org/linux-cve-announce/2025070937-CVE-2025-38264-ffd2@gregkh/T" ],
  "name" : "CVE-2025-38264",
  "mitigation" : {
    "value" : "Check if Kernel config option CONFIG_NVME_COMMON disabled or could be disabled. If disabled, then not vulnerable.",
    "lang" : "en:us"
  },
  "csaw" : false
}