CVE-2025-38709
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-12-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | to 6.6.109 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.43 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.15.11 (exc) |
| linux | linux_kernel | From 6.16 (inc) to 6.16.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's loop device where the block size of the device can be changed while a filesystem is mounted on it. This causes a mismatch between the block device's block size and the block size stored in the filesystem's superblock, leading to confusion and errors in the kernel's buffer management. The issue was triggered by a tool called syzbot and caused warnings due to buffer size mismatches. The fix involves ensuring exclusive ownership of the loop device before changing its block size, preventing changes when the device is already exclusively owned by something like a filesystem.
How can this vulnerability impact me? :
This vulnerability can cause kernel warnings and potential instability or data corruption because the filesystem and block device have mismatched block sizes. This mismatch can lead to confusion in buffer management within the kernel, potentially affecting filesystem reliability and data integrity when using loop devices.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the Linux kernel is updated to a version where the fix is applied. The fix involves preventing changes to the loop device block size when it is exclusively owned, so applying the patch or kernel update that includes this fix will prevent the issue.