CVE-2025-39999 — Vulnetix

CVE-2025-39999 PUBLISHED CVSS 9.300000190734863 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix blk_mq_tags double free while nr_requests grown In the case user trigger tags grow by queue sysfs attribute nr_requests, hctx->sched_tags will be freed directly and replaced with a new allocated tags, see blk_mq_tag_update_depth(). The problem is that hctx->sched_tags is from elevator->et->tags, while et->tags is still the freed tags, hence later elevator exit will try to free the tags again, causing kernel panic. Fix this problem by replacing et->tags with new allocated tags as well. Noted there are still some long term problems that will require some refactor to be fixed thoroughly[1]. [1] https://lore.kernel.org/all/20250815080216.410665-1-yukuai1@huaweicloud.com/

EPSS 0.02% · 7.3th percentile

Risk Scores

CVSS 4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.02%

7.3th percentile

Affected Products

Vendor	Product	Versions
linux	linux_kernel	6.17, 6.16.4, 6.17
Linux	Linux	58567d8e95c096ad234963df90a2ca518901f4b6, f5a6604f7a4405450e4a1f54e5430f47290c500f, f5a6604f7a4405450e4a1f54e5430f47290c500f

Exploit Intelligence

CIRCL seen: CVE-2025-39999 (circl-sighting)
https://git.kernel.org/stable/c/8faee580d63bc2a54a59dcdb7f9ce4de29384fec (circl)
https://git.kernel.org/stable/c/392b1d64911f4de8887fe8b68299fa8bd6e5b923 (circl)
https://git.kernel.org/stable/c/ba28afbd9eff2a6370f23ef4e6a036ab0cfda409 (circl)

Timeline

Jan 21, 1970 Security Advisory
Oct 15, 2025 EPSS Score
Oct 15, 2025 Coalition ESS Score
Oct 15, 2025 CVE Published
Oct 15, 2025 PoC Published
Oct 16, 2025 Coalition ESS Score
Oct 21, 2025 EPSS Score
Oct 27, 2025 EPSS Score
Nov 2, 2025 EPSS Score
Nov 2, 2025 Coalition ESS Score
Nov 8, 2025 EPSS Score
Nov 13, 2025 Coalition ESS Score

References

Open in Interactive Console →