DEBIAN-CVE-2025-68371
In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix device resources accessed after device removal Correct possible race conditions during device removal. Previously, a scheduled work item to reset a LUN could still execute after the device was removed, leading to use-after-free and other resource access issues. This race condition occurs because the abort handler may schedule a LUN reset concurrently with device removal via sdev_destroy(), leading to use-after-free and improper access to freed resources. - Check in the device reset handler if the device is still present in the controller's SCSI device list before running; if not, the reset is skipped. - Cancel any pending TMF work that has not started in sdev_destroy(). - Ensure device freeing in sdev_destroy() is done while holding the LUN reset mutex to avoid races with ongoing resets.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | linux | 6.12.63-1, 6.12.57-1, 6.12.57-1 |
| Debian:11 | linux-6.1 | 6.1.159-1~deb11u1, 6.1.158-1~deb11u1, 6.1.153-1~deb11u1 |
| Debian:14 | linux | 6.16.7-1, 6.16.9-1, 6.16~rc7-1~exp1 |
| Debian:12 | linux | 6.1.115-1, 6.1.119-1, 6.1.123-1 |
Timeline
- Dec 24, 2025 CVE Published
- Apr 28, 2026 CVE Updated