CVE-2025-40054
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-28

Last updated on: 2025-10-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF issue in f2fs_merge_page_bio() As JY reported in bugzilla [1], Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : [0xffffffe51d249484] f2fs_is_cp_guaranteed+0x70/0x98 lr : [0xffffffe51d24adbc] f2fs_merge_page_bio+0x520/0x6d4 CPU: 3 UID: 0 PID: 6790 Comm: kworker/u16:3 Tainted: P B W OE 6.12.30-android16-5-maybe-dirty-4k #1 5f7701c9cbf727d1eebe77c89bbbeb3371e895e5 Tainted: [P]=PROPRIETARY_MODULE, [B]=BAD_PAGE, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Workqueue: writeback wb_workfn (flush-254:49) Call trace: f2fs_is_cp_guaranteed+0x70/0x98 f2fs_inplace_write_data+0x174/0x2f4 f2fs_do_write_data_page+0x214/0x81c f2fs_write_single_data_page+0x28c/0x764 f2fs_write_data_pages+0x78c/0xce4 do_writepages+0xe8/0x2fc __writeback_single_inode+0x4c/0x4b4 writeback_sb_inodes+0x314/0x540 __writeback_inodes_wb+0xa4/0xf4 wb_writeback+0x160/0x448 wb_workfn+0x2f0/0x5dc process_scheduled_works+0x1c8/0x458 worker_thread+0x334/0x3f0 kthread+0x118/0x1ac ret_from_fork+0x10/0x20 [1] https://bugzilla.kernel.org/show_bug.cgi?id=220575 The panic was caused by UAF issue w/ below race condition: kworker - writepages - f2fs_write_cache_pages - f2fs_write_single_data_page - f2fs_do_write_data_page - f2fs_inplace_write_data - f2fs_merge_page_bio - add_inu_page : cache page #1 into bio & cache bio in io->bio_list - f2fs_write_single_data_page - f2fs_do_write_data_page - f2fs_inplace_write_data - f2fs_merge_page_bio - add_inu_page : cache page #2 into bio which is linked in io->bio_list write - f2fs_write_begin : write page #1 - f2fs_folio_wait_writeback - f2fs_submit_merged_ipu_write - f2fs_submit_write_bio : submit bio which inclues page #1 and #2 software IRQ - f2fs_write_end_io - fscrypt_free_bounce_page : freed bounced page which belongs to page #2 - inc_page_count( , WB_DATA_TYPE(data_folio), false) : data_folio points to fio->encrypted_page the bounced page can be freed before accessing it in f2fs_is_cp_guarantee() It can reproduce w/ below testcase: Run below script in shell #1: for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \ -c "pwrite 0 32k" -c "fdatasync" Run below script in shell #2: for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \ -c "pwrite 0 32k" -c "fdatasync" So, in f2fs_merge_page_bio(), let's avoid using fio->encrypted_page after commit page into internal ipu cache.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-28
Last Modified
2025-10-30
Generated
2026-05-07
AI Q&A
2025-10-28
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40054
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Use-After-Free (UAF) issue in the Linux kernel's f2fs file system, specifically in the function f2fs_merge_page_bio(). It occurs due to a race condition where a bounced page (encrypted_page) can be freed before it is accessed again, leading to a kernel NULL pointer dereference and potential system crash (kernel panic). The problem arises when multiple write operations interact with the bio list and page cache in a way that causes the freed page to be accessed afterward.


How can this vulnerability impact me? :

This vulnerability can cause a kernel panic, leading to system crashes or instability. Since it involves a Use-After-Free condition in the kernel, it could potentially be exploited to cause denial of service by crashing the system. It may also affect data integrity during write operations on the f2fs file system.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing kernel panic logs related to the f2fs filesystem, specifically errors involving NULL pointer dereference in f2fs_merge_page_bio(). You can monitor kernel logs using commands like 'dmesg' or 'journalctl -k' to look for crash traces similar to those described. Additionally, running the provided testcase scripts that repeatedly perform pwrite and fdatasync operations on an f2fs encrypted file can reproduce the issue, which can help in detection. Example commands to reproduce the issue are: In shell #1: for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file -c "pwrite 0 32k" -c "fdatasync"; done In shell #2: for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file -c "pwrite 0 32k" -c "fdatasync"; done


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, avoid using the affected f2fs filesystem or disable features that trigger the vulnerable code path until a patched kernel version is applied. Applying the kernel update that fixes the use-after-free issue in f2fs_merge_page_bio() is the definitive fix. If updating is not immediately possible, refrain from running workloads that perform concurrent pwrite and fdatasync operations on encrypted files in f2fs, as demonstrated by the testcase, to reduce the risk of triggering the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart