CVE-2025-40146: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's block multiqueue (blk-mq) subsystem was identified and assigned CVE-2025-40146. The issue was discovered on November 12, 2025, and involves a potential deadlock condition that occurs while nr_requests is being grown. The vulnerability affects various Linux kernel versions across multiple distributions including Ubuntu and its derivatives (NVD, Ubuntu).

The vulnerability stems from a deadlock condition in the block multiqueue (blk-mq) subsystem when allocating and freeing sched_tags while the queue is frozen. This represents a long-term problem in the kernel's block layer implementation. The technical solution involves restructuring the memory allocation timing, specifically allocating memory before freezing the queue and freeing memory after the queue is unfrozen (NVD).

The vulnerability affects multiple Linux distributions and their derivatives, particularly impacting systems running various kernel versions. Ubuntu has classified this as a medium priority issue, with multiple kernel packages marked as vulnerable across different Ubuntu releases including 24.04 LTS (noble), 22.04 LTS (jammy), 20.04 LTS (focal), and 18.04 LTS (bionic) (Ubuntu).

The issue has been resolved in the Linux kernel through a patch that modifies the memory allocation timing in the block multiqueue subsystem. The fix ensures that memory allocation occurs before queue freezing and deallocation happens after queue unfreezing (NVD).