CVE-2025-38659
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: gfs2: No more self recovery When a node withdraws and it turns out that it is the only node that has the filesystem mounted, gfs2 currently tries to replay the local journal to bring the filesystem back into a consistent state. Not only is that a very bad idea, it has also never worked because gfs2_recover_func() will refuse to do anything during a withdraw. However, before even getting to this point, gfs2_recover_func() dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before commit 04133b607a78 ("gfs2: Prevent double iput for journal on error") and is a NULL pointer dereference since then. Simply get rid of self recovery to fix that.
Analysis
Linux kernel GFS2 filesystem can be forced into denial of service through a NULL pointer dereference when a node withdraws from a cluster filesystem and is the only node with the filesystem mounted. The vulnerability affects all Linux kernel versions with GFS2 support (CPE: cpe:2.3:o:linux:linux_kernel) and requires local access with unprivileged user privileges to trigger. An authenticated local attacker can crash the kernel by inducing specific GFS2 recovery conditions, causing system unavailability. No public exploit code has been identified, with an EPSS score of 0.02% indicating very low real-world exploitation likelihood despite the moderate CVSS 5.5 rating.
Technical Context
The GFS2 (Global File System 2) is a shared-disk cluster filesystem in the Linux kernel that coordinates I/O across multiple nodes. When a node detects filesystem corruption or enters a withdraw state, the kernel attempts self-recovery by replaying the local journal. The vulnerability resides in the gfs2_recover_func() function, which dereferences sdp->sd_jdesc->jd_inode without null-pointer validation. This causes a CWE-476 NULL pointer dereference. Prior to commit 04133b607a78, this was a use-after-free condition; after that commit, it became a null dereference. The affected product is identified via CPE cpe:2.3:o:linux:linux_kernel for all versions with GFS2 compiled in. The root cause is the inappropriate attempt at self-recovery logic that contradicts the withdraw state mechanics already present in the kernel.
Affected Products
Linux kernel versions across all supported distributions with GFS2 filesystem support are affected, as indicated by the CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. The vulnerability impacts any kernel compiled with CONFIG_GFS2 enabled. Patches are available in multiple stable kernel branches: commit 1a91ba12abef628b43cada87478328274d988e88, commit 6784367b2f3cd7b89103de35764f37f152590dbd, commit 97c94c7dbddc34d353c83b541b3decabf98d04af, commit deb016c1669002e48c431d6fd32ea1c20ef41756, and commit f5426ffbec971a8f7346a57392d3a901bdee5a9b. Ubuntu has issued security notice USN-8126-1 addressing this issue across affected distributions. Specific kernel version numbers containing the fix should be obtained from individual distribution vendor advisories, as the provided references point to commit hashes rather than released version numbers.
Remediation
Apply the Linux kernel security patch immediately available from your distribution vendor. For Ubuntu systems, install the updates referenced in USN-8126-1 via standard package management (apt update && apt upgrade). For other distributions, consult your vendor's security advisory for the specific patched kernel version. Until patching is complete, mitigate risk by disabling GFS2 filesystem support if the system does not require cluster filesystem functionality (rebuild kernel with CONFIG_GFS2=n), or restrict GFS2 cluster membership to prevent single-node-only configurations that trigger the vulnerable code path. For production GFS2 clusters, ensure proper cluster quorum and fencing mechanisms are in place to prevent isolated nodes from attempting recovery. No workarounds exist for systems that actively use GFS2 in multi-node clusters.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today