In the Linux kernel, the following vulnerability has been resolved:
f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
The decompress_io_ctx may be released asynchronously after
I/O completion. If this file is deleted immediately after read,
and the kworker of processing post_read_wq has not been executed yet
due to high workloads, It is possible that the inode(f2fs_inode_info)
is evicted and freed before it is used f2fs_free_dic.
The UAF case as below:
Thread A Thread B
- f2fs_decompress_end_io
- f2fs_put_dic
- queue_work
add free_dic work to post_read_wq
- do_unlink
- iput
- evict
- call_rcu
This file is deleted after read.
Thread C kworker to process post_read_wq
- rcu_do_batch
- f2fs_free_inode
- kmem_cache_free
inode is freed by rcu
- process_scheduled_works
- f2fs_late_free_dic
- f2fs_free_dic
- f2fs_release_decomp_mem
read (dic->inode)->i_compress_algorithm
This patch store compress_algorithm and sbi in dic to avoid inode UAF.
In addition, the previous solution is deprecated in [1] may cause system hang.
[1] https://lore.kernel.org/all/[email protected]
References
Configurations
History
01 Dec 2025, 11:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
26 Nov 2025, 17:09
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
| First Time |
Linux linux Kernel
Linux |
|
| CWE | CWE-416 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
| References | () https://git.kernel.org/stable/c/39868685c2a94a70762bc6d77dc81d781d05bff5 - Patch | |
| References | () https://git.kernel.org/stable/c/8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9 - Patch |
Information
Published : 2025-08-22 16:15
Updated : 2025-12-01 11:15
NVD link : CVE-2025-38627
Mitre link : CVE-2025-38627
CVE.ORG link : CVE-2025-38627
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-416
Use After Free