Skip to main content

Linux CVE-2025-38626

MEDIUM
2025-08-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 11:22 vuln.today
Patch released
Mar 25, 2026 - 11:22 nvd
Patch available
CVE Published
Aug 22, 2025 - 16:15 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode

w/ "mode=lfs" mount option, generic/299 will cause system panic as below:

------------[ cut here ]------------ kernel BUG at fs/f2fs/segment.c:2835! Call Trace: <TASK> f2fs_allocate_data_block+0x6f4/0xc50 f2fs_map_blocks+0x970/0x1550 f2fs_iomap_begin+0xb2/0x1e0 iomap_iter+0x1d6/0x430 __iomap_dio_rw+0x208/0x9a0 f2fs_file_write_iter+0x6b3/0xfa0 aio_write+0x15d/0x2e0 io_submit_one+0x55e/0xab0 __x64_sys_io_submit+0xa5/0x230 do_syscall_64+0x84/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0010:new_curseg+0x70f/0x720

The root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may trigger foreground gc only if it allocates any physical block, it will be a little bit later when there is multiple threads writing data w/ aio/dio/bufio method in parallel, since we always use OPU in lfs mode, so f2fs_map_blocks() does block allocations aggressively.

In order to fix this issue, let's give a chance to trigger foreground gc in prior to block allocation in f2fs_map_blocks().

AnalysisAI

Linux kernel f2fs file system denial of service via out-of-space panic in LFS mode allows local authenticated users to crash the system by triggering excessive block allocation during parallel asynchronous I/O operations. The vulnerability affects systems mounted with the 'mode=lfs' option and causes a kernel BUG panic in new_curseg() when foreground garbage collection is not triggered proactively during f2fs_map_blocks(). EPSS exploitation probability is low at 0.02% (4th percentile), indicating limited real-world exploitation likelihood despite CVSS 5.5 availability impact rating. Vendor-released patches are available across multiple kernel stable branches.

Technical ContextAI

The vulnerability exists in the Linux kernel's F2FS (Flash-Friendly File System) implementation, specifically in the block allocation logic within fs/f2fs/segment.c and the f2fs_map_blocks() function. F2FS with LFS (Log-Structured File System) mode uses Out-of-Place Update (OPU), which aggressively allocates physical blocks during file writes via direct I/O and asynchronous I/O operations. The root cause is a race condition where multiple threads performing concurrent writes via aio/dio/bufio methods exhaust free space before foreground garbage collection (GC) can be triggered reactively. The kernel BUG occurs in new_curseg() at line 2835 of segment.c when attempting to allocate a new segment with no available free space. CPE data indicates the Linux kernel across all versions is affected (cpe:2.3:o:linux:linux_kernel). The CWE classification is not specified, but the underlying defect is a resource exhaustion and improper synchronization between allocation and garbage collection timing.

RemediationAI

Upgrade to a patched kernel version incorporating the fix commits referenced in git.kernel.org/stable (commits 1005a3ca28e, 264ede8a52f1, 385e64a074, 82765ce5c7a, or f289690f50a). Most Linux distributions have issued patched kernel updates; check your vendor's security advisory (Ubuntu: USN-8126-1). As an interim workaround for systems that cannot immediately patch, avoid the 'mode=lfs' mount option for F2FS volumes if not required for your workload, or limit concurrent asynchronous I/O intensity via I/O scheduling and thread pool tuning. Monitor system logs for kernel BUG panics in new_curseg() to identify affected systems. The fix proactively triggers foreground garbage collection in f2fs_map_blocks() prior to block allocation, preventing the out-of-space condition that causes the panic.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2025-38626 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy