CVE-2025-38620 in Linuxinfo

Summary

by MITRE • 08/22/2025

In the Linux kernel, the following vulnerability has been resolved:

zloop: fix KASAN use-after-free of tag set

When a zoned loop device, or zloop device, is removed, KASAN enabled kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The BUG happens because zloop_ctl_remove() calls put_disk(), which invokes zloop_free_disk(). The zloop_free_disk() frees the memory allocated for the zlo pointer. However, after the memory is freed, zloop_ctl_remove() calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo. Hence the KASAN use-after-free.

zloop_ctl_remove() put_disk(zlo->disk) put_device() kobject_put() ... zloop_free_disk() kvfree(zlo) blk_mq_free_tag_set(&zlo->tag_set)

To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set) from zloop_ctl_remove() into zloop_free_disk(). This ensures that the tag_set is freed before the call to kvfree(zlo).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/28/2026

This vulnerability exists in the Linux kernel's zoned loop device implementation where a use-after-free condition occurs during device removal operations. The issue specifically affects systems running kernels with KASAN (Kernel Address Sanitizer) enabled, which is designed to detect memory corruption errors. When a zloop device is removed, the kernel's memory management sequence creates a race condition where memory is freed before all references to it are properly invalidated.

The technical flaw stems from improper ordering of memory cleanup operations within the zloop device management code. During the removal process, zloop_ctl_remove() function orchestrates the device cleanup by first calling put_disk() which eventually leads to zloop_free_disk() being invoked. The zloop_free_disk() function executes kvfree(zlo) to release the memory allocated for the zloop device structure, but this occurs before blk_mq_free_tag_set(&zlo->tag_set) is called. This sequence creates a situation where the tag_set structure continues to reference freed memory, triggering KASAN's use-after-free detection mechanism.

The operational impact of this vulnerability is significant for systems that utilize zoned loop devices, particularly in storage and virtualization environments where such devices are commonly deployed. When KASAN detects this use-after-free condition, it generates a kernel BUG message that can cause system instability and potential crashes. The vulnerability represents a classic memory safety issue that violates the fundamental principle of proper resource management and can potentially be exploited to gain unauthorized access to system resources or cause denial of service conditions. This flaw aligns with CWE-416, which describes the use of freed memory condition, and demonstrates how improper memory lifecycle management can create security vulnerabilities.

The recommended mitigation involves reordering the cleanup operations within the device removal sequence to ensure that all references to the zloop structure are invalidated before the memory is freed. By moving the blk_mq_free_tag_set(&zlo->tag_set) call into the zloop_free_disk() function, the system ensures that the tag_set structure is properly cleaned up before the zloop device structure is freed. This approach follows the principle of proper resource management and aligns with ATT&CK technique T1068, which involves exploiting local privileges to gain system access through memory corruption vulnerabilities. The fix ensures that the kernel's memory management operations adhere to proper ordering principles and prevents the access to freed memory that would otherwise trigger KASAN warnings and potentially more serious security implications.

Responsible

Linux

Reservation

04/16/2025

Disclosure

08/22/2025

Moderation

accepted

CPE

ready

EPSS

0.00143

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!