CVE-2025-21631: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free (UAF) vulnerability was discovered in the Linux kernel's BFQ I/O scheduler component (CVE-2025-21631). The vulnerability was identified in the block/bfq-iosched.c file, specifically affecting the waker_bfqq functionality after bfq_split_bfqq() operation. This issue was discovered on January 19, 2025, affecting multiple versions of the Linux kernel including versions 5.15.x, 6.1.x, 6.6.x, and 6.10.x (NVD).

The vulnerability occurs in the BFQ I/O scheduler when handling queue splitting operations. Specifically, a use-after-free condition arises in bfq_init_rq+0x175d/0x17a0 at block/bfq-iosched.c:6958. The issue stems from incorrect handling of process references when waker_bfqq is not in the merge chain, allowing access to freed memory. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to use-after-free conditions in the kernel's block I/O subsystem, potentially resulting in system crashes, memory corruption, or privilege escalation. The high CVSS score indicates that successful exploitation could lead to complete compromise of system confidentiality, integrity, and availability (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves properly checking process references when waker_bfqq is not in the merge chain. Multiple stable kernel versions have received the patch, including 5.15.177, 6.1.125, 6.6.72, and 6.11. Users are advised to upgrade to these or later versions (Kernel Patch).