CVE-2025-38658
📋 TL;DR
A double completion vulnerability in the Linux kernel's NVMe over Fabrics target subsystem can cause kernel crashes when processing invalid NVMe commands. This affects systems using PCIe endpoint function drivers for NVMe targets. The vulnerability allows remote attackers to trigger denial of service conditions.
💻 Affected Systems
- Linux kernel with NVMe over Fabrics target support
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to complete system crash and denial of service
Likely Case
System instability, kernel oops, and potential service disruption
If Mitigated
No impact if patched or workarounds applied
🎯 Exploit Status
Requires ability to send NVMe commands with unsupported opcodes to trigger the condition
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 746d0ac5a07d5da952ef258dd4d75f0b26c96476 and a535c0b10060bc8c174a7964b0f98064ee0c4774
Vendor Advisory: https://git.kernel.org/stable/c/746d0ac5a07d5da952ef258dd4d75f0b26c96476
Restart Required: No
Instructions:
1. Update Linux kernel to patched version 2. Rebuild kernel if compiling from source 3. No reboot required for hotpatch if supported
🔧 Temporary Workarounds
Disable NVMe over Fabrics PCIe endpoint function
allPrevent use of vulnerable NVMe over Fabrics PCIe endpoint functionality
modprobe -r nvmet_pci_epf
echo 'blacklist nvmet_pci_epf' >> /etc/modprobe.d/blacklist.conf
Restrict NVMe command access
allLimit which systems can send NVMe commands to the target
Configure NVMe access controls and authentication
🧯 If You Can't Patch
- Implement network segmentation to isolate NVMe over Fabrics traffic
- Monitor for abnormal NVMe command patterns and system crashes
🔍 How to Verify
Check if Vulnerable:
Check if nvmet_pci_epf module is loaded and kernel version is unpatched: lsmod | grep nvmet_pci_epfCheck Version:
uname -rVerify Fix Applied:
Verify kernel contains the fix commits: grep -r '746d0ac5a07d5da952ef258dd4d75f0b26c96476\|a535c0b10060bc8c174a7964b0f98064ee0c4774' /boot/System.map*📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages related to nvmet_pci_epf
- Multiple NVMe completion messages for single commands
- System crash logs
Network Indicators:
- Unusual NVMe command patterns with unsupported opcodes
- Multiple completion packets for single NVMe transactions
SIEM Query:
source="kernel" AND ("nvmet_pci_epf" OR "double completion" OR "kernel oops")