Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Trigger is a local cross-CPU race needing file read access plus a concurrent truncate, so AV:L/AC:H/PR:L; impact is a kernel crash only, hence C:N/I:N/A:H.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
iomap: avoid potential null folio->mapping deref during error reporting
When a buffered read fails, iomap_finish_folio_read() reports the error with fserror_report_io(folio->mapping->host, ...). This is called after ifs->read_bytes_pending has been decremented by the bytes attempted to be read.
For a folio split across multiple read completions, the folio is only guaranteed to stay locked while read_bytes_pending > 0. Once iomap_finish_folio_read() decrements read_bytes_pending, another in-flight read can complete and end the read on the folio, which unlocks it. This allows truncate logic to run and detach the folio (set folio->mapping to NULL). The error reporting path then can dereference a NULL folio->mapping. As reported by Sam Sun, this is the race that can occur:
CPU0: failed completion CPU1: final completion CPU2: truncate ----------------------- ---------------------- -------------- read_bytes_pending -= len finished = false /* preempted before fserror_report_io() */ read_bytes_pending -= len finished = true folio_end_read() truncate clears folio->mapping fserror_report_io( folio->mapping->host, ...) ^ NULL deref
Fix this by reporting the error first before decrementing ifs->read_bytes_pending.
AnalysisAI
Denial of service in the Linux kernel's iomap buffered I/O layer allows a NULL pointer dereference (kernel oops/panic) when a buffered read fails on a folio split across multiple read completions. Because iomap_finish_folio_read() decremented read_bytes_pending before calling fserror_report_io(), a concurrent final read completion plus a truncate could detach the folio (folio->mapping = NULL) before the error path dereferenced it. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local filesystem activity against a filesystem using the iomap buffered read path (such as XFS): a buffered read that actually fails (an underlying storage/I/O read error), a folio large enough to be split across multiple concurrent read completions, and a concurrently-running truncate on the same file to detach folio->mapping during the narrow window after read_bytes_pending is decremented. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a moderate, availability-only issue rather than a top-tier priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user repeatedly issues buffered reads against a file backed by an iomap filesystem while inducing read I/O errors (e.g., from a flaky or fault-injected block device) and simultaneously truncating the file. With the right timing across CPUs, the failed-read completion path dereferences a folio whose mapping was just cleared by truncate, panicking the kernel and crashing the host. … |
| Remediation | Upgrade to a fixed stable kernel: per EUVD the fix lands in the 7.0.13 and 7.1 lines, corresponding to upstream commits 1ad453817a4077230d1ba88eb0868f05f824449a and 2eea7f44b9c8b42fd7d3a1a87c06a7cd1b99c327 (https://git.kernel.org/stable/c/1ad453817a4077230d1ba88eb0868f05f824449a). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify systems running vulnerable Linux kernel versions, prioritizing production servers handling critical workloads. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39256
GHSA-f5cm-4mmf-92c9