Skip to main content

Linux Kernel JFS EUVDEUVD-2025-209683

| CVE-2025-71292 MEDIUM
2026-05-06 Linux GHSA-469f-r242-gq7h
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 11:43 vuln.today
CVSS changed
May 13, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:02 EUVD
CVE Published
May 06, 2026 - 11:32 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

jfs: nlink overflow in jfs_rename

If nlink is maximal for a directory (-1) and inside that directory you perform a rename for some child directory (not moving from the parent), then the nlink of the first directory is first incremented and later decremented. Normally this is fine, but when nlink = -1 this causes a wrap around to 0, and then drop_nlink issues a warning.

After applying the patch syzbot no longer issues any warnings. I also ran some basic fs tests to look for any regressions.

AnalysisAI

Integer wraparound in the Linux kernel JFS (Journaled File System) jfs_rename function can be triggered by a local low-privileged user to cause a kernel warning and denial of service. When a directory's hard link count (nlink) is already at its maximum value (-1 as an unsigned overflow scenario), performing an in-place rename of a child subdirectory increments nlink and then decrements it, wrapping the counter to zero and triggering a drop_nlink kernel warning. The vulnerability affects a wide range of stable kernel branches from 5.10 through 6.19; no public exploit code exists and CISA has not listed this in KEV, making active exploitation unlikely but not impossible in multi-tenant or container environments where JFS-mounted filesystems are accessible to low-privilege users.

Technical ContextAI

JFS (Journaled File System), originally developed by IBM, is a kernel filesystem implementation accessible via cpe:2.3:a:linux:linux. The jfs_rename() function in fs/jfs/jfsutils.c or equivalent manages directory entry renaming and adjusts hard link counts via inc_nlink and drop_nlink. When a directory's nlink reaches the integer maximum (stored as an unsigned 32-bit value, maximum ~4 billion, but the saturating semantics mean -1 in this context represents a saturated/overflowed counter), an in-place rename of a child directory triggers an increment followed by a decrement. Because the increment pushes past the maximum and wraps to 0, the subsequent drop_nlink call issues a kernel WARN_ON since nlink should never transition from 0 downward. The root cause class is integer overflow/wraparound (conceptually CWE-190 or CWE-191), though the CVE lists CWE as N/A. The tags include 'Buffer Overflow' which is imprecise - this is a numeric wraparound, not a memory buffer overrun. The syzbot fuzzer identified this condition, confirming the scenario is reproducible via automated filesystem fuzzing.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel version. Vendor-released patches are confirmed across stable series: upgrade to 5.10.252 or later, 5.15.202 or later, 6.1.165 or later, 6.6.128 or later, 6.12.75 or later, 6.18.16 or later, 6.19.6 or later, or 7.0 or later. Upstream fix commits are available at git.kernel.org/stable/c/ (see references: 2108829a, b4330a0d, a3d66089, f70fcbc2, 5d77c36c, fe136426, 93c32574, 9218dc26). For systems where kernel patching is not immediately feasible, a practical compensating control is to avoid mounting JFS filesystems accessible to untrusted low-privilege users - switching to ext4 or xfs for user-accessible volumes eliminates the attack surface entirely with no functional trade-off for most workloads. If JFS must be used, restricting filesystem access via Linux DAC permissions or mandatory access control (SELinux/AppArmor) policies to limit which users can perform rename operations in JFS directories reduces exploitability. Enabling kernel panic-on-warn in production should be reconsidered if not already disabled, as the drop_nlink warning could cause system halt depending on kernel build configuration.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2025-209683 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy