VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 28, 2025· Updated Apr 15, 2026

CVE-2025-40054

CVE-2025-40054

Description

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix UAF issue in f2fs_merge_page_bio()

As JY reported in bugzilla [1],

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : [0xffffffe51d249484] f2fs_is_cp_guaranteed+0x70/0x98 lr : [0xffffffe51d24adbc] f2fs_merge_page_bio+0x520/0x6d4 CPU: 3 UID: 0 PID: 6790 Comm: kworker/u16:3 Tainted: P B W OE 6.12.30-android16-5-maybe-dirty-4k #1 5f7701c9cbf727d1eebe77c89bbbeb3371e895e5 Tainted: [P]=PROPRIETARY_MODULE, [B]=BAD_PAGE, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Workqueue: writeback wb_workfn (flush-254:49) Call trace: f2fs_is_cp_guaranteed+0x70/0x98 f2fs_inplace_write_data+0x174/0x2f4 f2fs_do_write_data_page+0x214/0x81c f2fs_write_single_data_page+0x28c/0x764 f2fs_write_data_pages+0x78c/0xce4 do_writepages+0xe8/0x2fc __writeback_single_inode+0x4c/0x4b4 writeback_sb_inodes+0x314/0x540 __writeback_inodes_wb+0xa4/0xf4 wb_writeback+0x160/0x448 wb_workfn+0x2f0/0x5dc process_scheduled_works+0x1c8/0x458 worker_thread+0x334/0x3f0 kthread+0x118/0x1ac ret_from_fork+0x10/0x20

[1] https://bugzilla.kernel.org/show_bug.cgi?id=220575

The panic was caused by UAF issue w/ below race condition:

kworker - writepages - f2fs_write_cache_pages - f2fs_write_single_data_page - f2fs_do_write_data_page - f2fs_inplace_write_data - f2fs_merge_page_bio - add_inu_page : cache page #1 into bio & cache bio in io->bio_list - f2fs_write_single_data_page - f2fs_do_write_data_page - f2fs_inplace_write_data - f2fs_merge_page_bio - add_inu_page : cache page #2 into bio which is linked in io->bio_list write - f2fs_write_begin : write page #1 - f2fs_folio_wait_writeback - f2fs_submit_merged_ipu_write - f2fs_submit_write_bio : submit bio which inclues page #1 and #2

software IRQ - f2fs_write_end_io - fscrypt_free_bounce_page : freed bounced page which belongs to page #2 - inc_page_count( , WB_DATA_TYPE(data_folio), false) : data_folio points to fio->encrypted_page the bounced page can be freed before accessing it in f2fs_is_cp_guarantee()

It can reproduce w/ below testcase: Run below script in shell #1: for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \ -c "pwrite 0 32k" -c "fdatasync"

Run below script in shell #2: for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \ -c "pwrite 0 32k" -c "fdatasync"

So, in f2fs_merge_page_bio(), let's avoid using fio->encrypted_page after commit page into internal ipu cache.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free (UAF) vulnerability in the Linux kernel's f2fs filesystem, triggered by a race condition in f2fs_merge_page_bio(), can lead to a NULL pointer dereference and system crash.

Vulnerability

Overview

CVE-2025-40054 is a use-after-free (UAF) vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) implementation. The bug resides in the f2fs_merge_page_bio() function, where a race condition between a writeback worker and a write operation can cause a freed bounce page to be accessed, leading to a NULL pointer dereference. The issue was reported via a kernel bugzilla entry [1] and manifests as a kernel panic with the call trace showing f2fs_is_cp_guaranteed being invoked on a freed page.

Exploitation

Scenario

The race condition occurs when a kworker thread performing writeback (via f2fs_write_cache_pages) caches multiple pages into a bio in io->bio_list. Concurrently, a write operation (f2fs_write_begin) triggers submission of that bio via f2fs_submit_merged_ipu_write. When the bio completes, the software IRQ handler f2fs_write_end_io calls fscrypt_free_bounce_page, freeing the bounce page associated with the first page in the bio. However, the kworker thread may still hold a reference to that freed page, leading to a UAF condition when it later tries to access the page's metadata (e.g., checking checkpoint guarantee).

Impact

An attacker who can trigger this race condition (e.g., by performing concurrent write operations on an f2fs filesystem) can cause a kernel NULL pointer dereference, resulting in a system crash (denial of service). The vulnerability is exploitable locally by a user with write access to an f2fs mount. The crash trace indicates the panic occurs in f2fs_is_cp_guaranteed, which dereferences a pointer from the freed page structure.

Mitigation

The fix is included in the Linux kernel stable commit [1]. Users should apply the patch to their kernel to prevent the UAF. The vulnerability affects kernels prior to the fix; systems running updated kernels with the commit are not vulnerable. No workaround is mentioned in the advisory.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

2
01118321e0c8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
edf7e9040fc5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.