CVE-2025-68745 | scsi: qla2xxx: Clear cmds after chip reset

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Clear cmds after chip reset Commit aefed3e5548f ("scsi: qla2xxx: target: Fix offline port handling and host reset handling") caused two problems: 1. Commands sent to FW, after chip reset got stuck and never freed as FW is not going to respond to them anymore. 2. BUG_ON(cmd->sg_mapped) in qlt_free_cmd(). Commit 26f9ce53817a ("scsi: qla2xxx: Fix missed DMA unmap for aborted commands") attempted to fix this, but introduced another bug under different circumstances when two different CPUs were racing to call qlt_unmap_sg() at the same time: BUG_ON(!valid_dma_direction(dir)) in dma_unmap_sg_attrs(). So revert "scsi: qla2xxx: Fix missed DMA unmap for aborted commands" and partially revert "scsi: qla2xxx: target: Fix offline port handling and host reset handling" at __qla2x00_abort_all_cmds.

Published: 2025-12-24 Last update: 2026-04-15 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Deferred，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2025-68745 is rated Low Risk (4.1/100): low exploitation likelihood (EPSS 0.02%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-68745

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-12-25	—	0.02%	—

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-68745

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2025-68745

OS Trackers for CVE-2025-68745

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2025-68745 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2.	https://security-tracker.debian.org/tracker/CVE-2025-68745
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2025-68745
`suse`	medium	CVE-2025-68745 severity moderate: SUSE including 128 source package names (2.2.1-5.81:libblkid1-2.40.4-slfo.1.1_4.1, 2.2.1-5.81:libfdisk1-2.40.4-slfo.1.1_4.1, …), 273 product×package rows across 20 product lines (Container suse/sl-micro/6.1/baremetal-os-container, Container suse/sl-micro/6.1/base-os-container, … (20 product lines)): Fixed 233, First Fixed 25, Known Not Affected 15.	https://www.suse.com/security/cve/CVE-2025-68745/
`ubuntu`	medium	CVE-2025-68745 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1405 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1010, ignored 180, needed 108, released 88, pending 11, not-affected 8.	https://ubuntu.com/security/CVE-2025-68745

Affected software / configurations for CVE-2025-68745

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2025-68745

URL	Tags
https://git.kernel.org/stable/c/5c1fb3fd05da3d55b8cbc42d7d660b313cbdc936
https://git.kernel.org/stable/c/d46c69a087aa3d1513f7a78f871b80251ea0c1ae

cvelogic Threat Intelligence