CVE-2025-10823
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in axboe fio up to 3.41. This affects the function str_buffer_pattern_cb of the file options.c. Performing manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10823
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
axboe fio 3.41
axboe fio *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10823 is a null pointer dereference vulnerability in the fio tool (up to version 3.41) within the function str_buffer_pattern_cb in options.c. It occurs when the program parses a jobfile option 'buffer_pattern' without a value (e.g., 'buffer_pattern='), causing a NULL pointer to be passed to the function. The function then calls strlen() on this NULL pointer, leading to a segmentation fault and crashing the program. [1, 2, 3]

Impact Analysis

This vulnerability can cause the fio program to crash due to a null pointer dereference, impacting the availability of the application. Since the attack must be performed locally, an attacker with local access can exploit this to cause denial of service by crashing fio. It does not affect confidentiality or integrity. [3]

Detection Guidance

This vulnerability can be detected by testing the fio tool with a specially crafted jobfile that includes the option `buffer_pattern=` without a value, which triggers a null pointer dereference and causes a crash. Detection was performed using fuzz testing with AddressSanitizer (ASan) and UndefinedBehaviorSanitizer (UBSan) on an Ubuntu 22.04 system. To detect it, you can run fio with a jobfile containing `buffer_pattern=` and observe if the program crashes with a segmentation fault. Example command: `fio --filename=testfile --buffer_pattern=` (using a jobfile or command line option). Monitoring for segmentation faults or crash logs referencing `str_buffer_pattern_cb` or `strlen()` on NULL pointers can confirm the presence of the vulnerability. [2]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable fio versions up to 3.41 or refraining from specifying the `buffer_pattern` option without a value in jobfiles or command line. Since no official patch or internal fix is available yet, consider replacing fio with an alternative tool or applying external patches if available. Additionally, restrict local access to systems running fio to trusted users only, as exploitation requires local access. [3, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10823. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart