CVE-2025-39999

15.10.2025, 08:15

In the Linux kernel, the following vulnerability has been resolved:

blk-mq: fix blk_mq_tags double free while nr_requests grown

In the case user trigger tags grow by queue sysfs attribute nr_requests,
hctx->sched_tags will be freed directly and replaced with a new
allocated tags, see blk_mq_tag_update_depth().

The problem is that hctx->sched_tags is from elevator->et->tags, while
et->tags is still the freed tags, hence later elevator exit will try to
free the tags again, causing kernel panic.

Fix this problem by replacing et->tags with new allocated tags as well.

Noted there are still some long term problems that will require some
refactor to be fixed thoroughly[1].

[1] https://lore.kernel.org/all/20250815080216.410665-1-yukuai1@huaweicloud.com/

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
trixie	6.12.43-1 not-affected
bookworm	6.1.148-1 not-affected
bullseye (security)	5.10.244-1 fixed
bookworm (security)	6.1.153-1 fixed
trixie (security)	6.12.48-1 fixed
forky	vulnerable
sid	6.16.12-1 fixed

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen, Daten zu manipulieren und andere, nicht näher spezifizierte Angriffe durchzuführen.
Published: 2025-10-14T22:00:00+00:00

References

https://git.kernel.org/stable/c/392b1d64911f4de8887fe8b68299fa8bd6e5b923

https://git.kernel.org/stable/c/8faee580d63bc2a54a59dcdb7f9ce4de29384fec

https://git.kernel.org/stable/c/ba28afbd9eff2a6370f23ef4e6a036ab0cfda409