CVE-2025-71105

MEDIUM EPSS 2.4%
Published Jan 14, 20265mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jan 14, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: use global inline_xattr_slab instead of per-sb slab cache As Hong Yun reported in mailing list: loop7: detected capacity change from 0 to 131072 ------------[ cut here ]------------ kmem_cache of name 'f2fs_xattr_entry-7:7' already exists WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline] WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline] RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 Call Trace:  __kmem_cache_create include/linux/slab.h:353 [inline]  f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]  f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843  f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918  get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692  vfs_get_tree+0x43/0x140 fs/super.c:1815  do_new_mount+0x201/0x550 fs/namespace.c:3808  do_mount fs/namespace.c:4136 [inline]  __do_sys_mount fs/namespace.c:4347 [inline]  __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]  do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94  entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug can be reproduced w/ below scripts: - mount /dev/vdb /mnt1 - mount /dev/vdc /mnt2 - umount /mnt1 - mounnt /dev/vdb /mnt1 The reason is if we created two slab caches, named f2fs_xattr_entry-7:3 and f2fs_xattr_entry-7:7, and they have the same slab size. Actually, slab system will only create one slab cache core structure which has slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same structure and cache address. So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will decrease reference count of slab cache, rather than release slab cache entirely, since there is one more user has referenced the cache. Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again, slab system will find that there is existed cache which has the same name and trigger the warning. Let's changes to use global inline_xattr_slab instead of per-sb slab cache for fixing.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 15

VendorProductVersionRange
linuxlinux_kernel*≥5.7.1  –  <5.10.248
linuxlinux_kernel*≥5.11  –  <5.15.198
linuxlinux_kernel*≥5.16  –  <6.1.160
linuxlinux_kernel*≥6.2  –  <6.6.120
linuxlinux_kernel*≥6.7  –  <6.12.64
linuxlinux_kernel*≥6.13  –  <6.18.3
linuxlinux_kernel5.7any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/474cc3ed37436ddfd63cac8dbffe3b1e219e9100
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/93d30fe19660dec6bf1bd3d5c186c1c737b21aa5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/474cc3ed37436ddfd63cac8dbffe3b1e219e9100
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/93d30fe19660dec6bf1bd3d5c186c1c737b21aa5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a
    Patch