|
Vulnerabilities
< Back

CVE-2025-38652

Updated on 22 Aug 2025

Severity

7.1 High severity

Details

CVSS score
7.1
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid out-of-boundary access in devs.path

  • touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123
  • truncate -s $((102410241024))
    /mnt/f2fs/012345678901234567890123456789012345678901234567890123
  • touch /mnt/f2fs/file
  • truncate -s $((102410241024)) /mnt/f2fs/file
  • mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123
    -c /mnt/f2fs/file
  • mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123
    /mnt/f2fs/loop

[16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\xff\x01, 511, 0 - 3ffff [16937.192268] F2FS-fs (loop0): Failed to find devices

If device path length equals to MAX_PATH_LEN, sbi->devs.path[] may not end up w/ null character due to path array is fully filled, So accidently, fields locate after path[] may be treated as part of device path, result in parsing wrong device path.

struct f2fs_dev_info { … char path[MAX_PATH_LEN]; … };

Let’s add one byte space for sbi->devs.path[] to store null character of device path string.

Details

Affected product:
AlmaLinux 9.2 ESU , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , Oracle Linux 7 ELS , TuxCare 9.6 ESU , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS , Ubuntu 20.04 ELS
Affected packages:
kernel-uek @ 5.4.17 (+8 more)

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid out-of-boundary access in devs.path

  • touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123
  • truncate -s $((102410241024))
    /mnt/f2fs/012345678901234567890123456789012345678901234567890123
  • touch /mnt/f2fs/file
  • truncate -s $((102410241024)) /mnt/f2fs/file
  • mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123
    -c /mnt/f2fs/file
  • mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123
    /mnt/f2fs/loop

[16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\xff\x01, 511, 0 - 3ffff [16937.192268] F2FS-fs (loop0): Failed to find devices

If device path length equals to MAX_PATH_LEN, sbi->devs.path[] may not end up w/ null character due to path array is fully filled, So accidently, fields locate after path[] may be treated as part of device path, result in parsing wrong device path.

struct f2fs_dev_info { … char path[MAX_PATH_LEN]; … };

Let’s add one byte space for sbi->devs.path[] to store null character of device path string.

Fixes