In the Linux kernel, the following vulnerability has been resolved:
zloop: fix KASAN use-after-free of tag set
When a zoned loop device, or zloop device, is removed, KASAN enabled kernel reports "BUG KASAN use-after-free" in blkmqfreetagset(). The BUG happens because zloopctlremove() calls putdisk(), which invokes zloopfreedisk(). The zloopfreedisk() frees the memory allocated for the zlo pointer. However, after the memory is freed, zloopctlremove() calls blkmqfreetagset(&zlo->tagset), which accesses the freed zlo. Hence the KASAN use-after-free.
zloopctlremove() putdisk(zlo->disk) putdevice() kobjectput() ... zloopfreedisk() kvfree(zlo) blkmqfreetagset(&zlo->tagset)
To avoid the BUG, move the call to blkmqfreetagset(&zlo->tagset) from zloopctlremove() into zloopfreedisk(). This ensures that the tagset is freed before the call to kvfree(zlo).
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38620.json",
"cna_assigner": "Linux"
}