Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68807

CVE-2025-68807: Linux Kernel Race Condition Vulnerability

CVE-2025-68807 is a race condition vulnerability in the Linux kernel affecting WBT counter initialization, causing hung tasks in the writeback path. This article covers the technical details, impact, and mitigation strategies.

Updated:

CVE-2025-68807 Overview

A race condition vulnerability has been identified in the Linux kernel's block layer subsystem, specifically in the wbt_enable_default() function. When this function is moved out of queue freezing in elevator_change(), it can cause the write-back throttling (WBT) inflight counter to become negative (-1), leading to hung tasks in the writeback path.

Critical Impact

This vulnerability can cause tasks to become stuck indefinitely in wbt_wait() due to an inconsistent counter state, resulting in system hangs and denial of service conditions affecting kernel stability.

Affected Products

  • Linux kernel with block layer WBT (Write-Back Throttling) enabled
  • Systems using elevator/IO scheduler changes at runtime
  • Kernel configurations with CONFIG_BLK_WBT enabled

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-68807 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68807

Vulnerability Analysis

This race condition occurs in the Linux kernel's block I/O quality of service (QoS) subsystem, specifically within the Write-Back Throttling (WBT) mechanism. The vulnerability manifests when wbt_enable_default() executes concurrently with I/O submission operations.

The core issue stems from a timing window where the WBT state can be updated between the call to wbt_wait() (via rq_qos_throttle()) and the subsequent call to wbt_track() (via rq_qos_track()). When rwb_enabled() checks the state during this window, the inflight counter can be decremented before proper initialization occurs, causing it to underflow to -1.

This results in a deadlock condition where tasks waiting for the counter become permanently blocked, as evidenced by hung task warnings showing processes in state D (uninterruptible sleep) with call traces through rq_qos_wait(), wbt_wait(), and blk_mq_submit_bio().

Root Cause

The root cause is improper synchronization between the WBT initialization path and the I/O submission path. Specifically, when wbt_enable_default() was moved outside of queue freezing in elevator_change(), it created a race window where:

  1. The WBT state could be partially initialized
  2. Concurrent I/O submissions could decrement the inflight counter
  3. The counter becomes negative due to the initialization race
  4. Tasks waiting on the counter never get woken up due to the inconsistent state

The diagnostic signature shows rq_wait[0].inflight: -1 with has_waiters: True, indicating the deadlock condition.

Attack Vector

This vulnerability is triggered locally through legitimate system operations that cause elevator/IO scheduler changes while I/O is in flight. The race condition can be triggered by:

  1. Changing I/O schedulers via sysfs while the system is under I/O load
  2. Enabling or disabling BFQ or iocost I/O schedulers at runtime
  3. Any operation that triggers wbt_enable_default() during active I/O submission

While not directly exploitable for code execution, an attacker with local access could potentially trigger this race condition intentionally to cause a denial of service by inducing system hangs.

Detection Methods for CVE-2025-68807

Indicators of Compromise

  • Processes stuck in D (uninterruptible sleep) state with stack traces through wbt_wait()
  • Hung task warnings in kernel logs showing kworker processes blocked in rq_qos_wait()
  • WBT inflight counter showing negative values (-1) in debug output
  • System I/O operations becoming unresponsive after scheduler changes

Detection Strategies

  • Monitor kernel logs for hung task warnings mentioning wbt_wait or rq_qos_wait in the call trace
  • Check /sys/kernel/debug/block/*/rq_qos/ for WBT state anomalies if debugfs is available
  • Implement monitoring for processes in D state with extended duration (exceeding hung_task_timeout_secs)
  • Track I/O scheduler change events that may trigger the race condition

Monitoring Recommendations

  • Enable kernel hung task detection with appropriate timeout thresholds
  • Configure alerting for unusual numbers of processes in uninterruptible sleep state
  • Monitor system I/O latency for sudden increases that may indicate hung writeback operations
  • Log elevator/scheduler changes for correlation with any system hang events

How to Mitigate CVE-2025-68807

Immediate Actions Required

  • Apply the kernel patches from the stable git repository to remediate the race condition
  • Avoid changing I/O schedulers on production systems under heavy I/O load until patched
  • Consider freezing I/O queues manually before scheduler changes as a temporary workaround
  • Monitor systems for hung task warnings indicating this issue

Patch Information

The vulnerability has been addressed through kernel patches that restructure the WBT initialization logic:

  1. Commit 9869d3a6fed3 - Primary fix splitting wbt_enable_default() into separate functions
  2. Commit f55201fb3bec - Additional changes for proper WBT initialization

The fix introduces __wbt_enable_default(), wbt_enable_default(), and wbt_init_enable_default() functions to ensure proper initialization ordering and removes the now-unnecessary ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag.

Workarounds

  • Avoid runtime I/O scheduler changes on production systems until patches are applied
  • If scheduler changes are necessary, perform them during low I/O activity periods
  • Consider rebooting affected systems if hung tasks are detected rather than waiting indefinitely
  • Freeze I/O queues before making scheduler changes using appropriate block layer interfaces
bash
# Check current WBT status and scheduler before making changes
cat /sys/block/sda/queue/scheduler
cat /sys/block/sda/queue/wbt_lat_usec

# Reduce I/O load before scheduler changes
sync
echo 3 > /proc/sys/vm/drop_caches

# If applying patches, verify commit hashes after kernel update
uname -r

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.