VDB

CVE-2025-38620

CVE-2025-38620 PUBLISHED CVSS 7.800000190734863 HIGH

In the Linux kernel, the following vulnerability has been resolved: zloop: fix KASAN use-after-free of tag set When a zoned loop device, or zloop device, is removed, KASAN enabled kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The BUG happens because zloop_ctl_remove() calls put_disk(), which invokes zloop_free_disk(). The zloop_free_disk() frees the memory allocated for the zlo pointer. However, after the memory is freed, zloop_ctl_remove() calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo. Hence the KASAN use-after-free. zloop_ctl_remove() put_disk(zlo->disk) put_device() kobject_put() ... zloop_free_disk() kvfree(zlo) blk_mq_free_tag_set(&zlo->tag_set) To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set) from zloop_ctl_remove() into zloop_free_disk(). This ensures that the tag_set is freed before the call to kvfree(zlo).

EPSS 0.03% · 8.8th percentile

Risk Scores

CVSS v3.1
7.800000190734863
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.03%
8.8th percentile

Affected Products

VendorProductVersions
linuxlinux_kernel6.16, 6.16, 6.16
LinuxLinuxeb0570c7df23c2f32fe899fcdaf8fca9a5ecd51e, 6.16, 0

Timeline

  • Jan 21, 1970 Security Advisory
  • Aug 22, 2025 Coalition ESS Score
  • Aug 22, 2025 CVE Published
  • Aug 23, 2025 EPSS Score
  • Aug 26, 2025 Coalition ESS Score
  • Aug 31, 2025 EPSS Score
  • Sep 8, 2025 EPSS Score
  • Sep 16, 2025 EPSS Score
  • Sep 24, 2025 EPSS Score
  • Oct 1, 2025 EPSS Score
  • Oct 4, 2025 Coalition ESS Score
  • Oct 6, 2025 Coalition ESS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›