CVE-2025-68373 in Linux
Summary
by MITRE • 12/24/2025
In the Linux kernel, the following vulnerability has been resolved:
md: avoid repeated calls to del_gendisk
There is a uaf problem which is found by case 23rdev-lifetime:
Oops: general protection fault, probably for non-canonical address 0xdead000000000122 RIP: 0010:bdi_unregister+0x4b/0x170 Call Trace: <TASK> __del_gendisk+0x356/0x3e0 mddev_unlock+0x351/0x360 rdev_attr_store+0x217/0x280 kernfs_fop_write_iter+0x14a/0x210 vfs_write+0x29e/0x550 ksys_write+0x74/0xf0 do_syscall_64+0xbb/0x380 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff5250a177e
The sequence is: 1. rdev remove path gets reconfig_mutex 2. rdev remove path release reconfig_mutex in mddev_unlock 3. md stop calls do_md_stop and sets MD_DELETED 4. rdev remove path calls del_gendisk because MD_DELETED is set 5. md stop path release reconfig_mutex and calls del_gendisk again
So there is a race condition we should resolve. This patch adds a flag MD_DO_DELETE to avoid the race condition.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/25/2025
The vulnerability described in CVE-2025-68373 represents a use-after-free condition within the Linux kernel's md (multiple device) subsystem, specifically affecting the management of generic disk devices through the del_gendisk function. This issue manifests as a general protection fault during kernel execution, indicating a critical memory safety problem that could potentially lead to system instability or privilege escalation. The vulnerability was identified through careful analysis of device lifetime management in the md driver, where improper synchronization between different code paths results in double deletion of disk device structures.
The technical flaw occurs due to a race condition between two distinct execution paths within the md subsystem's device management logic. When a redundant device (rdev) is being removed, the code path acquires the reconfig_mutex lock, proceeds with device removal operations, and then releases the mutex in the mddev_unlock function. However, concurrently the md stop operation is executing, which calls do_md_stop and sets the MD_DELETED flag. This creates a scenario where the rdev removal path may call del_gendisk while the MD_DELETED flag is set, followed by the md stop path also calling del_gendisk when the mutex is released, resulting in the same disk device structure being deleted twice. This double deletion pattern constitutes a classic use-after-free vulnerability that violates memory safety principles.
The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential attack vector for privilege escalation within the kernel space. The general protection fault observed during execution indicates that the kernel's memory management has detected an invalid memory access pattern, likely due to attempting to access freed memory structures. This vulnerability affects the md subsystem's ability to properly manage storage arrays and could potentially allow malicious actors to exploit the race condition to gain elevated privileges or cause denial of service through system crashes. The issue is particularly concerning because it occurs during normal device management operations, making it difficult to predict or prevent in production environments.
The patch addressing this vulnerability introduces a new flag MD_DO_DELETE to prevent the race condition by ensuring that del_gendisk is only called once during the device removal process. This solution follows established kernel development practices for managing concurrent access to shared resources and prevents the double deletion that leads to the use-after-free condition. The fix aligns with common security best practices for kernel memory management and addresses the underlying synchronization issue that allowed the race condition to occur. This approach demonstrates proper defensive programming techniques that prevent concurrent access violations and maintain the integrity of kernel data structures during device lifecycle management operations. The vulnerability classification aligns with CWE-415, which describes double free conditions in memory management, and could potentially map to ATT&CK technique T1068, which involves exploiting privileges through local system exploitation.