CVE-2025-71295
Awaiting Analysis Awaiting Analysis - Queue
Null pointer dereference in Linux kernel filesystem buffers

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fs/buffer: add alert in try_to_free_buffers() for folios without buffers try_to_free_buffers() can be called on folios with no buffers attached when filemap_release_folio() is invoked on a folio belonging to a mapping with AS_RELEASE_ALWAYS set but no release_folio operation defined. In such cases, folio_needs_release() returns true because of the AS_RELEASE_ALWAYS flag, but the folio has no private buffer data. This causes try_to_free_buffers() to call drop_buffers() on a folio with no buffers, leading to a null pointer dereference. Adding a check in try_to_free_buffers() to return early if the folio has no buffers attached, with WARN_ON_ONCE() to alert about the misconfiguration. This provides defensive hardening.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-71295
EUVD
EUVD-2025-209685
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's buffer management system. Specifically, the function try_to_free_buffers() can be called on memory folios that have no buffers attached. This happens when filemap_release_folio() is invoked on a folio belonging to a mapping with the AS_RELEASE_ALWAYS flag set but without a defined release_folio operation.

Because folio_needs_release() returns true due to the AS_RELEASE_ALWAYS flag, try_to_free_buffers() attempts to free buffers by calling drop_buffers() even though the folio has no private buffer data. This leads to a null pointer dereference, which can cause a kernel crash or instability.

The fix involves adding a check in try_to_free_buffers() to return early if the folio has no buffers attached, along with a warning alert (WARN_ON_ONCE()) to indicate the misconfiguration. This change provides defensive hardening against this issue.

Impact Analysis

This vulnerability can lead to a null pointer dereference in the Linux kernel, which may cause the system to crash or become unstable. Such crashes can result in denial of service, potentially interrupting normal operations and affecting system availability.

Detection Guidance

This vulnerability involves a null pointer dereference in the Linux kernel's try_to_free_buffers() function when called on folios without buffers attached. Detection would typically involve monitoring kernel logs for WARN_ON_ONCE() alerts triggered by this condition.

You can check your system logs (e.g., using dmesg or journalctl) for warnings related to try_to_free_buffers or buffer management issues.

  • Run: dmesg | grep -i 'try_to_free_buffers'
  • Run: journalctl -k | grep -i 'try_to_free_buffers'

Since this is a kernel-level issue, there are no specific network commands to detect it. Detection relies on kernel log analysis.

Mitigation Strategies

The vulnerability has been resolved by adding a check in try_to_free_buffers() to return early if the folio has no buffers attached, preventing the null pointer dereference.

Immediate mitigation steps include updating your Linux kernel to a version that contains this fix.

If updating immediately is not possible, monitor kernel logs for WARN_ON_ONCE() alerts related to this issue to detect potential exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71295. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart