CVE-2025-68266
Description
In the Linux kernel, the following vulnerability has been resolved:
bfs: Reconstruct file type when loading from disk
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 32bits "mode" field loaded from disk are corrupted or when the 32bits "attributes" field loaded from disk are corrupted.
A documentation says that BFS uses only lower 9 bits of the "mode" field. But I can't find an explicit explanation that the unused upper 23 bits (especially, the S_IFMT bits) are initialized with 0.
Therefore, ignore the S_IFMT bits of the "mode" field loaded from disk. Also, verify that the value of the "attributes" field loaded from disk is either BFS_VREG or BFS_VDIR (because BFS supports only regular files and the root directory).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel BFS filesystem has a vulnerability where corrupted on-disk file type bits can cause bogus inode modes, potentially leading to crashes or memory corruption.
Vulnerability
Description
In the Linux kernel's BFS filesystem, the inode->i_mode S_IFMT bits can become corrupted when loading from disk due to insufficient validation. The BFS documentation indicates that only the lower 9 bits of the mode field are used, but the upper bits (including S_IFMT) are not guaranteed to be zero. Additionally, the 'attributes' field, which indicates file type, is not verified against the expected values (BFS_VREG or BFS_VDIR). This allows an attacker with the ability to write to a BFS filesystem image to craft corrupted mode or attributes fields, leading to a kernel state with invalid inode modes.
Exploitation
To exploit this vulnerability, an attacker needs to be able to mount a specially crafted BFS filesystem image. This could be achieved through physical access, a malicious storage device, or by loading a corrupted filesystem from a network source. The vulnerability does not require authenticated access to the system if the attacker can trigger filesystem mount. Once mounted, the kernel reads the corrupted on-disk structures into memory, resulting in an inode with an invalid mode.
Impact
A corrupted inode mode can cause the kernel to misinterpret the file type, leading to incorrect permission checks or type-specific operations. This may result in denial of service (kernel panic or crash) or potentially memory corruption if the invalid mode triggers unexpected code paths. The specific impact depends on how the corrupted inode is subsequently used.
Mitigation
The vulnerability is fixed in kernel commits [1], [2], and [3] which sanitize the mode by ignoring S_IFMT bits from disk and validating the attributes field against expected file types. Users should update to a kernel version containing these patches. No workaround is available other than not mounting untrusted BFS filesystems.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/34ab4c75588c07cca12884f2bf6b0347c7a13872nvd
- git.kernel.org/stable/c/77899444d46162aeb65f229590c26ba266864223nvd
- git.kernel.org/stable/c/8f73336b75bd3457b6f9410f2a0601a238f32238nvd
- git.kernel.org/stable/c/a8cb796e7e2cb7971311ba236922f5e7e1be77e6nvd
- git.kernel.org/stable/c/a9f626396bfe66f49b743601e862767928237cc0nvd
- git.kernel.org/stable/c/aeccd6743ee4fdd1ab8cfcbb5b9a20b613418f6dnvd
- git.kernel.org/stable/c/d0c5ec1f57d8fbb953f166a27d9d32473dc8f3e4nvd
News mentions
0No linked articles in our index yet.