CVE-2025-38620

HIGH

Linux Kernel - Use-After-Free in zloop_ctl_remove

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: zloop: fix KASAN use-after-free of tag set When a zoned loop device, or zloop device, is removed, KASAN enabled kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The BUG happens because zloop_ctl_remove() calls put_disk(), which invokes zloop_free_disk(). The zloop_free_disk() frees the memory allocated for the zlo pointer. However, after the memory is freed, zloop_ctl_remove() calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo. Hence the KASAN use-after-free. zloop_ctl_remove() put_disk(zlo->disk) put_device() kobject_put() ... zloop_free_disk() kvfree(zlo) blk_mq_free_tag_set(&zlo->tag_set) To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set) from zloop_ctl_remove() into zloop_free_disk(). This ensures that the tag_set is freed before the call to kvfree(zlo).

References (2)

Core 2

Core References

Patch

https://git.kernel.org/stable/c/c7c87046b41a9ef28ee7ac476c369da5b5228bc5

Patch

https://git.kernel.org/stable/c/765761851d89c772f482494d452e266795460278

Scores

CVSS v3 7.8

EPSS 0.0014

EPSS Percentile 3.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-416

Status published

Products (8)

linux/Kernel 6.16.0 - 6.16.1linux

Linux/Linux < 6.16

Linux/Linux 6.16

Linux/Linux 6.16.1 - 6.16.*

Linux/Linux 6.17

Linux/Linux eb0570c7df23c2f32fe899fcdaf8fca9a5ecd51e - 765761851d89c772f482494d452e266795460278

Linux/Linux eb0570c7df23c2f32fe899fcdaf8fca9a5ecd51e - c7c87046b41a9ef28ee7ac476c369da5b5228bc5

linux/linux_kernel 6.16

Published Aug 22, 2025

Tracked Since Feb 18, 2026