VYPR
← All advisories
High severity7.1NVD Advisory· Published Aug 30, 2025· Updated May 12, 2026

CVE-2025-38677

CVE-2025-38677

Description

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid out-of-boundary access in dnode page

As Jiaming Zhang reported:

__dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x17e/0x800 mm/kasan/report.c:480 kasan_report+0x147/0x180 mm/kasan/report.c:593 data_blkaddr fs/f2fs/f2fs.h:3053 [inline] f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline] f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855 f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195 prepare_write_begin fs/f2fs/data.c:3395 [inline] f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594 generic_perform_write+0x2c7/0x910 mm/filemap.c:4112 f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline] f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x546/0xa90 fs/read_write.c:686 ksys_write+0x149/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The root cause is in the corrupted image, there is a dnode has the same node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to access block address in dnode at offset 934, however it parses the dnode as inode node, so that get_dnode_addr() returns 360, then it tries to access page address from 360 + 934 * 4 = 4096 w/ 4 bytes.

To fix this issue, let's add sanity check for node id of all direct nodes during f2fs_get_dnode_of_data().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds access in Linux kernel f2fs driver due to missing node ID validation, allowing crash from a corrupted filesystem image.

Vulnerability

Overview

The Linux kernel's f2fs filesystem contains an out-of-bounds access vulnerability in the f2fs_get_dnode_of_data() function. When processing a corrupted filesystem image, a dnode (direct node) can share the same node ID as its inode. This causes the function to misinterpret the dnode as an inode node, leading to incorrect computation of the block address offset. The result is an out-of-bounds read beyond the allocated page boundary, as evidenced by the KASAN report in the commit message.

Attack

Vector

An attacker must be able to mount a maliciously crafted f2fs filesystem image. Once mounted, a write operation (e.g., via f2fs_write_begin) triggers the vulnerable code path, ultimately reaching f2fs_get_dnode_of_data(). No special privileges beyond mount capability are required. The vulnerability is triggered during normal file write operations, making it accessible to any user who can write to the filesystem.

Impact

Successful exploitation can cause a kernel crash (denial of service) as shown in the dumped stack trace. In theory, it may also lead to memory corruption or information disclosure, though the primary impact is system instability. The vulnerability is rated High with a CVSS v3 score of 7.1.

Mitigation

The fix, which adds a sanity check on the node ID of all direct nodes during f2fs_get_dnode_of_data(), has been committed to the Linux kernel stable tree [2][3][4]. Users should apply the latest kernel updates to address this issue. The vulnerability also affects Siemens SIMATIC CN 4100 devices (all versions < V5.0) [1], and Siemens recommends updating to V5.0 or later.

References
  1. SSA-032379
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

11

News mentions

1