CVE-2025-39999Multiple Releases of Same Resource or Handle in Linux

CWE-1341Multiple Releases of Same Resource or Handle6 documents5 sources
Severity
5.2MEDIUM
No vector
EPSS
0.0%
top 93.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedOct 15

Description

In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix blk_mq_tags double free while nr_requests grown In the case user trigger tags grow by queue sysfs attribute nr_requests, hctx->sched_tags will be freed directly and replaced with a new allocated tags, see blk_mq_tag_update_depth(). The problem is that hctx->sched_tags is from elevator->et->tags, while et->tags is still the freed tags, hence later elevator exit will try to free the tags again, causing kernel panic.

Affected Packages4 packages

Linuxlinux/linux_kernel6.17.06.17.1+1
Debianlinux/linux_kernel< 6.16.11-1
CVEListV5linux/linux58567d8e95c096ad234963df90a2ca518901f4b68faee580d63bc2a54a59dcdb7f9ce4de29384fec+3
debiandebian/linux< linux 6.16.11-1 (forky)

🔴Vulnerability Details

3
GHSA
GHSA-28j8-2q92-jm59: In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix blk_mq_tags double free while nr_requests grown In the case user tri2025-10-15
OSV
CVE-2025-39999: In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix blk_mq_tags double free while nr_requests grown In the case user trigg2025-10-15
OSV
blk-mq: fix blk_mq_tags double free while nr_requests grown2025-10-15

📋Vendor Advisories

2
Red Hat
kernel: blk-mq: fix blk_mq_tags double free while nr_requests grown2025-10-15
Debian
CVE-2025-39999: linux - In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix...2025