CVE-2025-10824
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in axboe fio up to 3.41. This impacts the function __parse_jobs_ini of the file init.c. Executing manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10824
EUVD
EUVD-2025-30437
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
axboe fio 3.41
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a heap use-after-free bug in the fio tool, specifically in the __parse_jobs_ini function. During job option parsing, an array of options (opts) is dynamically allocated and then freed, but the freed pointer is still used later in the code when sorting options with qsort. This causes the program to access memory that has already been freed, leading to potential crashes or undefined behavior. The issue arises because the comparator function opt_cmp dereferences entries from the freed opts array during sorting. [1]

Impact Analysis

This vulnerability can cause the fio program to crash due to use-after-free memory access. Additionally, because it involves accessing freed memory, it may lead to undefined behavior or potentially be exploited by an attacker who can run code locally. The attack requires local access and a specially crafted input file to trigger the issue. [1]

Detection Guidance

This vulnerability can be detected by running the fio tool with a specially crafted input file that triggers the use-after-free during option parsing. Specifically, you can use the command `./fio --parse-only poc` where 'poc' is a proof-of-concept file designed to reproduce the crash. Additionally, running fio under AddressSanitizer (ASan) or UndefinedBehaviorSanitizer (UBSan) can help detect the heap use-after-free condition. [1]

Mitigation Strategies

Immediate mitigation steps include avoiding running untrusted or crafted fio job files locally, as the attack requires local execution. Applying any available patches or updates to fio that fix the use-after-free in __parse_jobs_ini is recommended. If no patch is available yet, consider restricting access to the fio tool or running it in a restricted environment to limit potential exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10824. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart