CVE-2025-38626

MEDIUM
2025-08-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 11:22 vuln.today
Patch Released
Mar 25, 2026 - 11:22 nvd
Patch available
CVE Published
Aug 22, 2025 - 16:15 nvd
MEDIUM 5.5

Tags

Linux Linux Kernel Denial Of Service Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode w/ "mode=lfs" mount option, generic/299 will cause system panic as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/segment.c:2835! Call Trace: <TASK> f2fs_allocate_data_block+0x6f4/0xc50 f2fs_map_blocks+0x970/0x1550 f2fs_iomap_begin+0xb2/0x1e0 iomap_iter+0x1d6/0x430 __iomap_dio_rw+0x208/0x9a0 f2fs_file_write_iter+0x6b3/0xfa0 aio_write+0x15d/0x2e0 io_submit_one+0x55e/0xab0 __x64_sys_io_submit+0xa5/0x230 do_syscall_64+0x84/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0010:new_curseg+0x70f/0x720 The root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may trigger foreground gc only if it allocates any physical block, it will be a little bit later when there is multiple threads writing data w/ aio/dio/bufio method in parallel, since we always use OPU in lfs mode, so f2fs_map_blocks() does block allocations aggressively. In order to fix this issue, let's give a chance to trigger foreground gc in prior to block allocation in f2fs_map_blocks().

Analysis

Linux kernel f2fs file system denial of service via out-of-space panic in LFS mode allows local authenticated users to crash the system by triggering excessive block allocation during parallel asynchronous I/O operations. The vulnerability affects systems mounted with the 'mode=lfs' option and causes a kernel BUG panic in new_curseg() when foreground garbage collection is not triggered proactively during f2fs_map_blocks(). EPSS exploitation probability is low at 0.02% (4th percentile), indicating limited real-world exploitation likelihood despite CVSS 5.5 availability impact rating. Vendor-released patches are available across multiple kernel stable branches.

Technical Context

The vulnerability exists in the Linux kernel's F2FS (Flash-Friendly File System) implementation, specifically in the block allocation logic within fs/f2fs/segment.c and the f2fs_map_blocks() function. F2FS with LFS (Log-Structured File System) mode uses Out-of-Place Update (OPU), which aggressively allocates physical blocks during file writes via direct I/O and asynchronous I/O operations. The root cause is a race condition where multiple threads performing concurrent writes via aio/dio/bufio methods exhaust free space before foreground garbage collection (GC) can be triggered reactively. The kernel BUG occurs in new_curseg() at line 2835 of segment.c when attempting to allocate a new segment with no available free space. CPE data indicates the Linux kernel across all versions is affected (cpe:2.3:o:linux:linux_kernel). The CWE classification is not specified, but the underlying defect is a resource exhaustion and improper synchronization between allocation and garbage collection timing.

Affected Products

The Linux kernel across all versions is affected per CPE specifications (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). The vulnerability specifically impacts systems using F2FS with the 'mode=lfs' mount option. Patched versions are available in stable kernel branches referenced via commit hashes: 1005a3ca28e90c7a64fa43023f866b960a60f791, 264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5, 385e64a0744584397b4b52b27c96703516f39968, 82765ce5c7a56f9309ee45328e763610eaf11253, f289690f50a01c3e085d87853392d5b7436a4cee, and d2f280f43a2a9d918fd23169ff3a6f3b65c7cec5 accessible via git.kernel.org/stable. Ubuntu security advisory USN-8126-1 provides additional distribution-specific details and affected kernel version ranges.

Remediation

Upgrade to a patched kernel version incorporating the fix commits referenced in git.kernel.org/stable (commits 1005a3ca28e, 264ede8a52f1, 385e64a074, 82765ce5c7a, or f289690f50a). Most Linux distributions have issued patched kernel updates; check your vendor's security advisory (Ubuntu: USN-8126-1). As an interim workaround for systems that cannot immediately patch, avoid the 'mode=lfs' mount option for F2FS volumes if not required for your workload, or limit concurrent asynchronous I/O intensity via I/O scheduling and thread pool tuning. Monitor system logs for kernel BUG panics in new_curseg() to identify affected systems. The fix proactively triggers foreground garbage collection in f2fs_map_blocks() prior to block allocation, preventing the out-of-space condition that causes the panic.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Vendor Status

Share

CVE-2025-38626 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy