CVE-2025-68315

Vulnerability

Overview

In the Linux kernel's f2fs (Flash-Friendly File System) implementation, a flaw exists in the f2fs_alloc_nid() function. The function fails to validate that the node ID (nid) retrieved from the free_nid_list is within a valid range. As reported, the on-disk footer.ino and footer.nid can be identical and out-of-range, indicating a potential corruption that the code does not check for [1][2].

Exploitation and

Attack Surface

An attacker with the ability to mount a crafted f2fs filesystem image (e.g., via a malicious storage device or a corrupted image) could trigger this vulnerability. No special privileges beyond the privileges beyond mounting the filesystem are required. The lack of a sanity check in f2fs_alloc_nid() means that an out-of-range nid could be used in subsequent operations, potentially leading to memory corruption or other undefined behavior.

Impact

If exploited, this vulnerability could lead to system instability, denial of service, or potentially arbitrary code execution in the kernel context. The exact impact depends on how the invalid nid is used after allocation, but the root cause is a missing validation that allows corrupted metadata to propagate.

Mitigation

The fix adds a sanity check in f2fs_alloc_nid() to detect and reject out-of-range nids, preventing the use of corrupted entries from the free_nid_list. The patch has been applied to the stable kernel tree [1][2]. Users are advised to update their kernels to include this fix.