CVE-2025-38347
Description
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on ino and xnid
syzbot reported a f2fs bug as below:
INFO: task syz-executor140:5308 blocked for more than 143 seconds. Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 Call Trace:
context_switch kernel/sched/core.c:5378 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 __schedule_loop kernel/sched/core.c:6842 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6857 io_schedule+0x8d/0x110 kernel/sched/core.c:7690 folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 __folio_lock mm/filemap.c:1664 [inline] folio_lock include/linux/pagemap.h:1163 [inline] __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 find_get_page_flags include/linux/pagemap.h:842 [inline] f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 f2fs_acl_create fs/f2fs/acl.c:375 [inline] f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 unix_bind_bsd net/unix/af_unix.c:1286 [inline] unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 __sys_bind_socket net/socket.c:1817 [inline] __sys_bind+0x1e4/0x290 net/socket.c:1848 __do_sys_bind net/socket.c:1853 [inline] __se_sys_bind net/socket.c:1851 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1851 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Let's dump and check metadata of corrupted inode, it shows its xattr_nid is the same to its i_ino.
dump.f2fs -i 3 chaseyu.img.raw i_xattr_nid [0x 3 : 3]
So that, during mknod in the corrupted directory, it tries to get and lock inode page twice, result in deadlock.
- f2fs_mknod
- f2fs_add_inline_entry
- f2fs_get_inode_page --- lock dir's inode page
- f2fs_init_acl
- f2fs_acl_create(dir,..)
- __f2fs_get_acl
- f2fs_getxattr
- lookup_all_xattrs
- __get_node_page --- try to lock dir's inode page
In order to fix this, let's add sanity check on ino and xnid.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing sanity check on inode numbers (ino) and extended attribute node IDs (xnid) in the Linux kernel's F2FS filesystem can cause a task hang via a deadlock when handling crafted filesystem images.
Issue
CVE-2025-38347 describes a flaw in the Linux kernel's F2FS (Flash-Friendly File System) implementation. The root cause is the absence of a sanity check on the ino (inode number) and xnid (extended attribute node ID) values when reading extended attribute blocks [1]. This allows a crafted F2FS image to trigger an infinite loop or deadlock condition.
Exploitation
The attack vector is local, requiring either physical access or a root/privileged user to mount a malicious F2FS filesystem image. The syzkaller fuzzer reproduced the bug by triggering a call chain that starts with a bind() syscall on a Unix socket, leading to file creation operations that invoke f2fs_init_inode_metadata and eventually __get_node_page [1]. Because the sanity check is missing, the code enters a wait state that never resolves, causing the task to block indefinitely.
Impact
The primary impact is denial of service (DoS): a task blocked for more than 143 seconds was observed during testing, and the kernel prints a hung-task warning [1]. An attacker who can mount a corrupted or specially crafted F2FS image can cause a system hang, potentially affecting availability. There is no evidence of privilege escalation or data corruption in the report.
Mitigation
The fix was applied to the Linux kernel stable branches, as seen in the commit references [2][3][4]. Users should update their kernel to a version containing the fix. Siemens has also listed this CVE among many affecting their SIMATIC CN 4100 product and recommends updating to version V5.0 or later [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 3.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- git.kernel.org/stable/c/061cf3a84bde038708eb0f1d065b31b7c2456533nvdPatch
- git.kernel.org/stable/c/44e904a1ad09e84039058dcbbb1b9ea5b8d7d75dnvdPatch
- git.kernel.org/stable/c/5a06d97d5340c00510f24e80e8de821bd3bd9285nvdPatch
- git.kernel.org/stable/c/aaddc6c696bd1bff20eaacfa88579d6eae64d541nvdPatch
- git.kernel.org/stable/c/c4029044cc408b149e63db7dc8617a0783a3f10dnvdPatch
- git.kernel.org/stable/c/e98dc1909f3d5bc078ec7a605524f1e3f4c0eb14nvdPatch
- git.kernel.org/stable/c/ecff54aa20b5b21db82e63e46066b55e43d72e78nvdPatch
- git.kernel.org/stable/c/fed611bd8c7b76b070aa407d0c7558e20d9e1f68nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlnvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories