CVE-2025-38620

Source
https://cve.org/CVERecord?id=CVE-2025-38620
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38620.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38620
Downstream
Published
2025-08-22T16:00:24.445Z
Modified
2026-04-02T12:48:03.098053Z
Summary
zloop: fix KASAN use-after-free of tag set
Details

In the Linux kernel, the following vulnerability has been resolved:

zloop: fix KASAN use-after-free of tag set

When a zoned loop device, or zloop device, is removed, KASAN enabled kernel reports "BUG KASAN use-after-free" in blkmqfreetagset(). The BUG happens because zloopctlremove() calls putdisk(), which invokes zloopfreedisk(). The zloopfreedisk() frees the memory allocated for the zlo pointer. However, after the memory is freed, zloopctlremove() calls blkmqfreetagset(&zlo->tagset), which accesses the freed zlo. Hence the KASAN use-after-free.

zloopctlremove() putdisk(zlo->disk) putdevice() kobjectput() ... zloopfreedisk() kvfree(zlo) blkmqfreetagset(&zlo->tagset)

To avoid the BUG, move the call to blkmqfreetagset(&zlo->tagset) from zloopctlremove() into zloopfreedisk(). This ensures that the tagset is freed before the call to kvfree(zlo).

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38620.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
eb0570c7df23c2f32fe899fcdaf8fca9a5ecd51e
Fixed
c7c87046b41a9ef28ee7ac476c369da5b5228bc5
Fixed
765761851d89c772f482494d452e266795460278

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38620.json"