CVE-2025-38627

HIGH EPSS 4.9%
Published Aug 22, 202510mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Aug 22, 2025 10mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic The decompress_io_ctx may be released asynchronously after I/O completion. If this file is deleted immediately after read, and the kworker of processing post_read_wq has not been executed yet due to high workloads, It is possible that the inode(f2fs_inode_info) is evicted and freed before it is used f2fs_free_dic. The UAF case as below: Thread A Thread B - f2fs_decompress_end_io - f2fs_put_dic - queue_work add free_dic work to post_read_wq - do_unlink - iput - evict - call_rcu This file is deleted after read. Thread C kworker to process post_read_wq - rcu_do_batch - f2fs_free_inode - kmem_cache_free inode is freed by rcu - process_scheduled_works - f2fs_late_free_dic - f2fs_free_dic - f2fs_release_decomp_mem read (dic->inode)->i_compress_algorithm This patch store compress_algorithm and sbi in dic to avoid inode UAF. In addition, the previous solution is deprecated in [1] may cause system hang. [1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
4.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 1

VendorProductVersionRange
linuxlinux_kernel*≥6.0  –  <6.16.1

References 5

  • git.kernel.org https://git.kernel.org/stable/c/39868685c2a94a70762bc6d77dc81d781d05bff5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5d604d40cd3232b09cb339941ef958e49283ed0a
  • git.kernel.org https://git.kernel.org/stable/c/74cbeeca4f16823ba58c882e1d8b836c0e39c93d
  • git.kernel.org https://git.kernel.org/stable/c/8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cc81768212cdc509e5a986274db7bc24d18cde19

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/39868685c2a94a70762bc6d77dc81d781d05bff5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9
    Patch