CVE-2025-21656
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
21/01/2025
Last modified:
26/09/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
hwmon: (drivetemp) Fix driver producing garbage data when SCSI errors occur<br />
<br />
scsi_execute_cmd() function can return both negative (linux codes) and<br />
positive (scsi_cmnd result field) error codes.<br />
<br />
Currently the driver just passes error codes of scsi_execute_cmd() to<br />
hwmon core, which is incorrect because hwmon only checks for negative<br />
error codes. This leads to hwmon reporting uninitialized data to<br />
userspace in case of SCSI errors (for example if the disk drive was<br />
disconnected).<br />
<br />
This patch checks scsi_execute_cmd() output and returns -EIO if it&#39;s<br />
error code is positive.<br />
<br />
[groeck: Avoid inline variable declaration for portability]
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.6 (including) | 6.6.72 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page