VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 15, 2025· Updated Apr 15, 2026

CVE-2025-39999

CVE-2025-39999

Description

In the Linux kernel, the following vulnerability has been resolved:

blk-mq: fix blk_mq_tags double free while nr_requests grown

In the case user trigger tags grow by queue sysfs attribute nr_requests, hctx->sched_tags will be freed directly and replaced with a new allocated tags, see blk_mq_tag_update_depth().

The problem is that hctx->sched_tags is from elevator->et->tags, while et->tags is still the freed tags, hence later elevator exit will try to free the tags again, causing kernel panic.

Fix this problem by replacing et->tags with new allocated tags as well.

Noted there are still some long term problems that will require some refactor to be fixed thoroughly[1].

[1] https://lore.kernel.org/all/20250815080216.410665-1-yukuai1@huaweicloud.com/

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A double-free vulnerability in the Linux kernel's blk-mq subsystem can cause a kernel panic when the nr_requests sysfs attribute is used to grow tags.

Vulnerability

In the Linux kernel's block multi-queue (blk-mq) subsystem, a double-free vulnerability exists in the handling of scheduler tags when the nr_requests sysfs attribute is modified. When a user triggers a tags grow operation via the queue's sysfs attribute, hctx->sched_tags is freed and replaced with a new allocated tags structure. However, the elevator's et->tags pointer still references the freed tags, leading to a double-free when the elevator exits and attempts to free the tags again, resulting in a kernel panic [1].

Exploitation

An attacker with the ability to write to the write to the nr_requests sysfs attribute of a block device queue can trigger this vulnerability. This requires local access to the system and the ability to modify kernel parameters, typically requiring root privileges or CAP_SYS_ADMIN. The attack surface is limited to systems where the user can change the nr_requests value for a block device that uses an elevator with scheduler tags [1].

Impact

Successful exploitation leads to a kernel panic, causing a denial of service (DoS) condition. The system becomes unavailable until rebooted. There is no evidence of code execution or privilege escalation from this vulnerability [1].

Mitigation

Mitigation

The fix has been applied in the Linux kernel stable tree. The commit replaces et->tags with the newly allocated tags to prevent the double-free. Users should apply the latest kernel updates from their distribution. The vulnerability is tracked in the Linux kernel git repository [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
8faee580d63b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
392b1d64911f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
ba28afbd9eff
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.