n the Linux kernel, the following vulnerability has been resolved: zloop: fix KASAN use-after-free of tag set When a zoned loop device, or zloop device, is removed, KASAN enabled kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The BUG happens because zloop_ctl_remove() calls put_disk(), which invokes zloop_free_disk(). The zloop_free_disk() frees the memory allocated for the zlo pointer. However, after the memory is freed, zloop_ctl_remove() calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo. Hence the KASAN use-after-free. zloop_ctl_remove() put_disk(zlo->disk) put_device() kobject_put() ... zloop_free_disk() kvfree(zlo) blk_mq_free_tag_set(&zlo->tag_set) To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set) from zloop_ctl_remove() into zloop_free_disk(). This ensures that the tag_set is freed before the call to kvfree(zlo).
26 Nov 2025, 17:45
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Linux linux Kernel
Linux |
|
| CPE | cpe:2.3:o:linux:linux_kernel:6.16:*:*:*:*:*:*:* | |
| References | () https://git.kernel.org/stable/c/765761851d89c772f482494d452e266795460278 - Patch | |
| References | () https://git.kernel.org/stable/c/c7c87046b41a9ef28ee7ac476c369da5b5228bc5 - Patch | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
| CWE | CWE-416 |
22 Aug 2025, 18:08
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Published : 2025-08-22 16:15
Updated : 2025-11-26 17:45
NVD link : CVE-2025-38620
Mitre link : CVE-2025-38620
CVE.ORG link : CVE-2025-38620
JSON object : View
Use After Free