CVE-2025-68771
Description
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the cl_next_free_rec field of the allocation chain list (next free slot in the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec) condition in ocfs2_find_victim_chain() and panicking the kernel.
To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(), just before calling ocfs2_find_victim_chain(), the code block in it being executed when either of the following conditions is true:
1. cl_next_free_rec is equal to 0, indicating that there are no free chains in the allocation chain list 2. cl_next_free_rec is greater than cl_count (the total number of chains in the allocation chain list)
Either of them being true is indicative of the fact that there are no chains left for usage.
This is addressed using ocfs2_error(), which prints the error log for debugging purposes, rather than panicking the kernel.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing bounds check in Linux kernel's ocfs2 filesystem causes a BUG panic when cl_next_free_rec is zero or exceeds cl_count.
Root
Cause
The vulnerability exists in the ocfs2_find_victim_chain() function within the Linux kernel's OCFS2 filesystem. The function contained a BUG_ON(!cl->cl_next_free_rec) assertion, which would trigger a kernel panic if the cl_next_free_rec field—indicating the next free slot in an allocation chain list—was zero. Syzbot discovered that this condition could be reached, causing a denial-of-service by crashing the system [1][2].
Exploitation
An attacker able to trigger filesystem operations that reach the ocfs2_claim_suballoc_bits() path may cause cl_next_free_rec to become zero or to exceed cl_count (the total number of chains). No special privileges beyond the ability to interact with an OCFS2 mount are required; the issue can be triggered locally through crafted filesystem activity [1][2].
Impact
Successful exploitation leads to a kernel BUG, resulting in a denial-of-service (system crash). There is no indication of memory corruption or privilege escalation—the impact is strictly availability [1][2].
Mitigation
The fix replaces the unconditional BUG_ON with an ocfs2_error() call (when either cl_next_free_rec == 0 or cl_next_free_rec > cl_count), which logs the error and handles the situation gracefully without panicking the kernel. The patch has been committed to the stable kernel tree [1][2]. Administrators should apply the update to patched kernels as soon as possible.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/039bef30e320827bac8990c9f29d2a68cd8adb5fnvd
- git.kernel.org/stable/c/1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7nvd
- git.kernel.org/stable/c/7acc0390e0dd7474c4451d05465a677d55ad4268nvd
- git.kernel.org/stable/c/96f1b074c98c20f55a3b23d2ab44d9fb0f619869nvd
- git.kernel.org/stable/c/b08a33d5f80efe6979a6e8f905c1a898910c21ddnvd
- git.kernel.org/stable/c/d0fd1f732ea8063cecd07a3879b7d815c7ee71ednvd
- git.kernel.org/stable/c/e24aedae71652d4119049f1fbef6532ccbe3966dnvd
News mentions
0No linked articles in our index yet.