vulnerability
VMware Photon OS: CVE-2025-23151
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:L/AC:M/Au:S/C:N/I:N/A:C) | May 1, 2025 | Oct 17, 2025 | Oct 23, 2025 |
Severity
4
CVSS
(AV:L/AC:M/Au:S/C:N/I:N/A:C)
Published
May 1, 2025
Added
Oct 17, 2025
Modified
Oct 23, 2025
Description
In the Linux kernel, the following vulnerability has been resolved:
bus: mhi: host: Fix race between unprepare and queue_buf
A client driver may use mhi_unprepare_from_transfer() to quiesce
incoming data during the client driver's tear down. The client driver
might also be processing data at the same time, resulting in a call to
mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs
after mhi_unprepare_from_transfer() has torn down the channel, a panic
will occur due to an invalid dereference leading to a page fault.
This occurs because mhi_gen_tre() does not verify the channel state
after locking it. Fix this by having mhi_gen_tre() confirm the channel
state is valid, or return error to avoid accessing deinitialized data.
[mani: added stable tag]
bus: mhi: host: Fix race between unprepare and queue_buf
A client driver may use mhi_unprepare_from_transfer() to quiesce
incoming data during the client driver's tear down. The client driver
might also be processing data at the same time, resulting in a call to
mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs
after mhi_unprepare_from_transfer() has torn down the channel, a panic
will occur due to an invalid dereference leading to a page fault.
This occurs because mhi_gen_tre() does not verify the channel state
after locking it. Fix this by having mhi_gen_tre() confirm the channel
state is valid, or return error to avoid accessing deinitialized data.
[mani: added stable tag]
Solution
vmware-photon_os_update_tdnf
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.