CVE-2025-21745 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: Fix class @block_class's subsystem refcount leakage
blkcg_fill_root_iostats() iterates over @block_class's devices by class_dev_iter_(init|next)(), but does not end iterating with class_dev_iter_exit(), so causes the class's subsystem refcount leakage.
Fix by ending the iterating with class_dev_iter_exit().
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability identified as CVE-2025-21745 resides within the Linux kernel's block cgroup subsystem, specifically affecting the blk-cgroup module's handling of device iteration. This issue represents a subtle but significant memory management flaw that can lead to resource exhaustion over time. The problem manifests when the blkcg_fill_root_iostats() function attempts to iterate through devices associated with the block_class subsystem. The function properly initializes the iteration using class_dev_iter_init() but fails to properly terminate the iteration sequence with class_dev_iter_exit().
This missing cleanup function call creates a reference count leakage scenario where the subsystem's reference counter remains incremented throughout the iteration process. The reference count represents the number of active references to the block class subsystem, and when this counter is not properly decremented through the exit function, it prevents the subsystem from being properly released or cleaned up. This type of resource leak can accumulate over time, particularly in systems with high I/O activity or frequent cgroup operations, leading to progressive memory consumption and potential system instability.
The technical flaw directly relates to improper resource management patterns and violates standard kernel coding practices for device iteration. According to CWE-404, this vulnerability falls under improper resource management where the system fails to release or properly manage a resource after its intended use. The issue also aligns with ATT&CK technique T1490, as it can contribute to resource exhaustion attacks that degrade system performance or availability. The root cause stems from the failure to maintain proper iteration lifecycle management, where initialization and cleanup operations must occur in pairs to ensure resource consistency.
The operational impact of this vulnerability extends beyond simple memory consumption, potentially affecting system responsiveness and stability in high-load environments. Systems utilizing block cgroup functionality for I/O control and monitoring may experience progressive resource degradation, where the accumulation of leaked reference counts eventually impacts system performance. In extreme cases, this could lead to memory exhaustion scenarios that force system administrators to perform emergency restarts or result in service disruptions. The vulnerability is particularly concerning in containerized environments or virtualized systems where multiple cgroup operations occur frequently, as the leak rate can accelerate significantly.
Mitigation strategies should focus on immediate kernel updates that include the fix for the missing class_dev_iter_exit() call. System administrators should prioritize patching affected systems, particularly those running high I/O workloads or environments with strict resource management requirements. Monitoring for memory usage patterns and I/O subsystem behavior can help identify potential impacts from this vulnerability before they escalate into more serious performance issues. Organizations should also consider implementing automated patch management processes to ensure timely deployment of kernel security updates. The fix itself represents a straightforward correction that restores proper reference counting behavior, but the broader implications highlight the importance of thorough testing for resource management code paths in kernel subsystems.