CVE-2025-38691
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-04

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function ext_tree_prepare_commit() reallocates a larger buffer to retry encoding extents, the "layoutupdate_pages" page array is initialized only after the retry loop. But ext_tree_free_commitdata() is called on every iteration and tries to put pages in the array, thus dereferencing uninitialized pointers. An additional problem is that there is no limit on the maximum possible buffer_size. When there are too many extents, the client may create a layoutcommit that is larger than the maximum possible RPC size accepted by the server. During testing, we observed two typical scenarios. First, one memory page for extents is enough when we work with small files, append data to the end of the file, or preallocate extents before writing. But when we fill a new large file without preallocating, the number of extents can be huge, and counting the number of written extents in ext_tree_encode_commit() does not help much. Since this number increases even more between unlocking and locking of ext_tree, the reallocated buffer may not be large enough again and again.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-04
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-09-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38691
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.10.244
linux linux_kernel 6.1.153
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's pNFS implementation involves a use of uninitialized pointers during the encoding of extents in the block/scsi layout. Specifically, when the function ext_tree_prepare_commit() reallocates a larger buffer to retry encoding extents, the layoutupdate_pages array is only initialized after the retry loop. However, ext_tree_free_commitdata() is called on every iteration and attempts to use this array, leading to dereferencing uninitialized pointers. Additionally, there is no limit on the maximum buffer size, which can cause the client to create a layoutcommit larger than the maximum RPC size accepted by the server, especially when handling large files with many extents.


How can this vulnerability impact me? :

This vulnerability can lead to memory corruption or crashes in the Linux kernel due to dereferencing uninitialized pointers. It may cause instability or denial of service when handling large files with many extents in pNFS. Furthermore, the lack of a buffer size limit can result in oversized layoutcommit requests that the server cannot handle, potentially disrupting normal file operations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart