CVE-2025-38218
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-07-04

Last updated on: 2025-12-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sit_bitmap_size w/ below testcase, resize will generate a corrupted image which contains inconsistent metadata, so when mounting such image, it will trigger kernel panic: touch img truncate -s $((512*1024*1024*1024)) img mkfs.f2fs -f img $((256*1024*1024)) resize.f2fs -s -i img -t $((1024*1024*1024)) mount img /mnt/f2fs ------------[ cut here ]------------ kernel BUG at fs/f2fs/segment.h:863! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 11 UID: 0 PID: 3922 Comm: mount Not tainted 6.15.0-rc1+ #191 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:f2fs_ra_meta_pages+0x47c/0x490 Call Trace: f2fs_build_segment_manager+0x11c3/0x2600 f2fs_fill_super+0xe97/0x2840 mount_bdev+0xf4/0x140 legacy_get_tree+0x2b/0x50 vfs_get_tree+0x29/0xd0 path_mount+0x487/0xaf0 __x64_sys_mount+0x116/0x150 do_syscall_64+0x82/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdbfde1bcfe The reaseon is: sit_i->bitmap_size is 192, so size of sit bitmap is 192*8=1536, at maximum there are 1536 sit blocks, however MAIN_SEGS is 261893, so that sit_blk_cnt is 4762, build_sit_entries() -> current_sit_addr() tries to access out-of-boundary in sit_bitmap at offset from [1536, 4762), once sit_bitmap and sit_bitmap_mirror is not the same, it will trigger f2fs_bug_on(). Let's add sanity check in f2fs_sanity_check_ckpt() to avoid panic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-04
Last Modified
2025-12-18
Generated
2026-05-07
AI Q&A
2025-07-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38218
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 3.8 (inc) to 5.10.239 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.186 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.142 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.95 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.35 (exc)
linux linux_kernel From 6.13 (inc) to 6.15.4 (exc)
debian debian_linux 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is in the Linux kernel's f2fs filesystem implementation. It occurs because the sit_bitmap_size is not properly checked, leading to an out-of-bound access when resizing an f2fs image. This causes inconsistent metadata and can trigger a kernel panic when mounting the corrupted image. The issue arises because the sit_bitmap size is smaller than the number of sit blocks, causing invalid memory access and a kernel bug. A sanity check was added to prevent this panic.


How can this vulnerability impact me? :

If exploited, this vulnerability can cause a kernel panic when mounting an f2fs filesystem image that has been resized improperly. This results in system crashes and potential denial of service, as the kernel encounters corrupted metadata and invalid memory access.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to reproduce the conditions that trigger the kernel panic related to the f2fs filesystem. The provided testcase commands are: 1. touch img 2. truncate -s $((512*1024*1024*1024)) img 3. mkfs.f2fs -f img $((256*1024*1024)) 4. resize.f2fs -s -i img -t $((1024*1024*1024)) 5. mount img /mnt/f2fs If mounting the image triggers a kernel panic with messages similar to the provided kernel BUG trace, the system is vulnerable.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying the patch that adds a sanity check in f2fs_sanity_check_ckpt() to prevent the kernel panic. Until the patch is applied, avoid resizing f2fs images in a way that triggers the out-of-boundary access, and avoid mounting images created or resized with the problematic parameters. Monitoring for kernel panic logs related to f2fs can also help in early detection.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart