CVE-2025-68229: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we
attempt to dereference it in tcm_loop_tpg_address_show() we will get a
segfault, see below for an example. So, check tl_hba->sh before
dereferencing it.
Unable to allocate struct scsi_host
BUG: kernel NULL pointer dereference, address: 0000000000000194
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024
RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]
...
Call Trace:
<TASK>
configfs_read_iter+0x12d/0x1d0 [configfs]
vfs_read+0x1b5/0x300
ksys_read+0x6f/0xf0
...
Security readout for executives and security teams
Plain-English summary
CVE-2025-68229 is a Linux kernel bug in the SCSI target loopback driver. If an internal allocation fails, a later read can dereference a null pointer and cause a kernel fault. The main business concern is local system instability or denial of service on affected Linux hosts using this component.
Executive priority
Treat as a targeted availability risk, not a broad internet-facing emergency based on current evidence. Patch during normal kernel maintenance, accelerating for storage or virtualization hosts where SCSI target loopback functionality is used.
Technical view
The flaw is in tcm_loop_tpg_address_show(). When tcm_loop_driver_probe() fails to allocate tl_hba->sh, the show handler can still dereference it through configfs_read_iter(), causing a NULL pointer dereference in kernel mode. The kernel fix adds a check before dereferencing tl_hba->sh.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions with the tcm_loop SCSI target loopback component present or used. The source does not state required privileges or remote reachability. Storage, virtualization, and test environments using kernel SCSI target features should be prioritized for review.
Exploitation context
The provided sources do not show active exploitation, and KEV is false. The described condition requires an allocation failure during probe followed by reading the affected configfs attribute. Impact evidence is a kernel NULL pointer dereference and oops, which can disrupt host availability.
Researcher notes
Affected version data in the bundle is kernel-branch oriented and should be mapped to distribution backports. The CVE text identifies the failing path and fix concept, but does not provide CVSS, privilege requirements, or a complete exploitability assessment.
Mitigation direction
Update to a kernel containing the referenced stable fixes for your maintained branch.
Follow your Linux distribution’s advisory and kernel package guidance.
If unused, consider disabling or avoiding tcm_loop according to vendor-supported procedures.
Prioritize hosts using SCSI target, storage virtualization, or kernel target testing features.
Validation and detection
Inventory Linux kernel versions across affected server and appliance fleets.
Check whether tcm_loop is built, loadable, or active on relevant hosts.
Confirm installed kernels include the applicable stable commit for their branch.
Review kernel logs for tcm_loop_tpg_address_show NULL dereference or related oops messages.
Track distribution advisories because backport versioning may differ from upstream commits.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-68229 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.