CVE-2025-22125 - Vulnerability Details

- md/raid1,raid10: don't ignore IO flags

Description

In the Linux kernel, the following vulnerability has been resolved:

md/raid1,raid10: don't ignore IO flags

If blk-wbt is enabled by default, it's found that raid write performance
is quite bad because all IO are throttled by wbt of underlying disks,
due to flag REQ_IDLE is ignored. And turns out this behaviour exist since
blk-wbt is introduced.

Other than REQ_IDLE, other flags should not be ignored as well, for
example REQ_META can be set for filesystems, clearing it can cause priority
reverse problems; And REQ_NOWAIT should not be cleared as well, because
io will wait instead of failing directly in underlying disks.

Fix those problems by keep IO flags from master bio.

Fises: f51d46d0e7cb ("md: add support for REQ_NOWAIT")

Published: 2025-04-16

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, a flaw was identified in the md/raid1 and raid10 drivers where certain I/O flags such as REQ_IDLE, REQ_META, and REQ_NOWAIT were ignored. This oversight caused write operations to be throttled by block write‑back throttling (wbt), leading to poor write performance and, in some cases, incorrect timing behavior. The result is a moderate degradation in system performance and a risk that blocked or delayed writes may not complete as expected, potentially affecting application reliability.

Affected Systems

All versions of the Linux kernel that include the md/raid1 and raid10 subsystems are subject to this issue, as the flaw has existed since the introduction of blk-wbt. The specific product is the open‑source Linux kernel; no further version specificity is available from the CNA data.

Risk and Exploitability

The CVSS score of 5.5 reflects medium severity, and the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. It requires local access to the kernel, typically involving a user or process interacting with mdraid devices, and exploits the kernel’s handling of I/O flags. There is no known remote exploitation vector, so the risk is primarily limited to environments where malicious users can influence I/O behavior on the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5404bc7a87b9949cf61e0174b21f80e73239ab25`	affected	< 10f4ff4baeb6951cf58282954318827b6852d501
`5404bc7a87b9949cf61e0174b21f80e73239ab25`	affected	< 73506e581c0b1814cdfd2229d589f30751d7de26
`5404bc7a87b9949cf61e0174b21f80e73239ab25`	affected	< 8a0adf3d778c4a0893c6d34a9e1b0082a6f1c495
`5404bc7a87b9949cf61e0174b21f80e73239ab25`	affected	< e879a0d9cb086c8e52ce6c04e5bfa63825a6213c

Linux

affected

Version	Status	Constraints
`2.6.19`	affected	—
`0`	unaffected	< 2.6.19
`6.6.136`	unaffected	≤ 6.6.*
`6.12.46`	unaffected	≤ 6.12.*
`6.14.2`	unaffected	≤ 6.14.*
`6.15`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the commit f51d46d0e7cb, which restores the ignored I/O flags.
If an immediate kernel upgrade is not possible, temporarily disable blk-wbt or ensure that workloads avoid setting REQ_IDLE, REQ_META, or REQ_NOWAIT flags.
Review any custom or third‑party modules that interact with md/raid1 or raid10 to confirm they set the correct flags before initiating I/O, preventing unintended throttling or blocking.

Generated by OpenCVE AI on May 1, 2026 at 10:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6008-1	linux security update
EUVD	EUVD-2025-11171	In the Linux kernel, the following vulnerability has been resolved: md/raid1,raid10: don't ignore IO flags If blk-wbt is enabled by default, it's found that raid write performance is quite bad because all IO are throttled by wbt of underlying disks, due to flag REQ_IDLE is ignored. And turns out this behaviour exist since blk-wbt is introduced. Other than REQ_IDLE, other flags should not be ignored as well, for example REQ_META can be set for filesystems, clearing it can cause priority reverse problems; And REQ_NOWAIT should not be cleared as well, because io will wait instead of failing directly in underlying disks. Fix those problems by keep IO flags from master bio. Fises: f51d46d0e7cb ("md: add support for REQ_NOWAIT")
Ubuntu USN	USN-7594-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7594-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7594-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8095-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8095-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8100-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8095-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8095-4	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-8125-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8126-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8095-5	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8165-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8261-1	Linux kernel (Xilinx) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/10f4ff4baeb6951cf58282954318827b6852d501
https://git.kernel.org/stable/c/73506e581c0b1814cdfd2229d589f30751d7de26
https://git.kernel.org/stable/c/8a0adf3d778c4a0893c6d34a9e1b0082a6f1c495
https://git.kernel.org/stable/c/e879a0d9cb086c8e52ce6c04e5bfa63825a6213c
https://lore.kernel.org/linux-cve-announce/2025041629-CVE-2025-22125-ba0f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-22125
https://www.cve.org/CVERecord?id=CVE-2025-22125

History

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/10f4ff4baeb6951cf58282954318827b6852d501

Mon, 03 Nov 2025 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel

Tue, 09 Sep 2025 17:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/73506e581c0b1814cdfd2229d589f30751d7de26

Fri, 25 Apr 2025 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-99

Thu, 17 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025041629-CVE-2025-22125-ba0f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-22125 https://www.cve.org/CVERecord?id=CVE-2025-22125
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 16 Apr 2025 14:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: md/raid1,raid10: don't ignore IO flags If blk-wbt is enabled by default, it's found that raid write performance is quite bad because all IO are throttled by wbt of underlying disks, due to flag REQ_IDLE is ignored. And turns out this behaviour exist since blk-wbt is introduced. Other than REQ_IDLE, other flags should not be ignored as well, for example REQ_META can be set for filesystems, clearing it can cause priority reverse problems; And REQ_NOWAIT should not be cleared as well, because io will wait instead of failing directly in underlying disks. Fix those problems by keep IO flags from master bio. Fises: f51d46d0e7cb ("md: add support for REQ_NOWAIT")
Title		md/raid1,raid10: don't ignore IO flags
References		https://git.kernel.org/stable/c/8a0adf3d778c4a0893c6d34a9e1b0082a6f1c495 https://git.kernel.org/stable/c/e879a0d9cb086c8e52ce6c04e5bfa63825a6213c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-04-16T14:13:08.779Z

Updated: 2026-05-11T21:13:27.100Z

Reserved: 2024-12-29T08:45:45.823Z

Link: CVE-2025-22125

Vulnrichment

No data.

NVD

Status : Modified

Published: 2025-04-16T15:16:06.630

Modified: 2026-04-27T14:16:22.127

Link: CVE-2025-22125

Redhat

Severity : Moderate

Publid Date: 2025-04-16T00:00:00Z

Links: CVE-2025-22125 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-01T10:15:17Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object