CVE-2025-40125

Vulnerability

Overview

CVE-2025-40125 is a vulnerability in the Linux kernel's block multi-queue (blk-mq) subsystem. The root cause is that in blk_mq_unregister_hctx(), the function unconditionally calls kobject_del() without first verifying that the kobject was successfully created in sysfs. This occurs when __blk_mq_update_nr_hw_queues() calls blk_mq_sysfs_register_hctxs() but does not check its return value. If sysfs creation for a hardware context (hctx) fails, a subsequent operation to change the number of hardware queues or remove the disk will attempt to delete a non-existent sysfs directory, leading to a kernel warning [1].

Exploitation

Scenario

An attacker with the ability to trigger a failure in sysfs creation for an hctx, for example by exhausting system resources or through a race condition, can cause the kernel to reach the vulnerable code path. The attack surface is local; the attacker needs to be able to interact with the block layer, such as by using a driver like null_blk to dynamically change the number of hardware queues. No special privileges are required beyond the ability to trigger the relevant ioctl or sysfs store operations [1].

Impact

When the vulnerability is triggered, the kernel emits a warning message and a stack trace, but does not crash. The primary impact is a denial of service condition due to the warning and potential system instability. There is no evidence of memory corruption or privilege escalation from this bug [1].

Mitigation

The fix has been applied to the Linux kernel stable tree in commit 06c4826b1d900611096e4621e93133db57e13911 and backported to other stable branches [1][2][3]. Users should update their kernel to a version containing this patch. No workaround is available other than avoiding the triggering conditions.