VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 6, 2026· Updated May 12, 2026

CVE-2025-71271

CVE-2025-71271

Description

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: ensure sb->s_fs_info is always cleaned up

When hfsplus was converted to the new mount api a bug was introduced by changing the allocation pattern of sb->s_fs_info. If setup_bdev_super() fails after a new superblock has been allocated by sget_fc(), but before hfsplus_fill_super() takes ownership of the filesystem-specific s_fs_info data it was leaked.

Fix this by freeing sb->s_fs_info in hfsplus_kill_super().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory leak in the Linux kernel's HFS+ filesystem (hfsplus) when mounting a device could allow denial of service.

Vulnerability

A memory leak was discovered in the Linux kernel's HFS+ filesystem (hfsplus) during mount operations. When the filesystem was converted to the new mount API, a bug was introduced: if setup_bdev_super() fails after a new superblock is allocated but before hfsplus_fill_super() takes ownership of the filesystem-specific s_fs_info, the allocated memory is not freed, leading to a leak [1].

Exploitation

To exploit this vulnerability, an attacker requires the ability to mount a crafted HFS+ filesystem, typically necessitating local access or the ability to introduce a malicious storage device. The bug is triggered specifically when the mount fails after the superblock allocation, which can be induced by causing setup_bdev_super() to fail. No special privileges beyond mount capability are needed.

Impact

Successful exploitation causes a memory leak, potentially exhausting system memory over repeated mount attempts and leading to system instability or denial of service. There is no evidence of code execution or privilege escalation.

Mitigation

The fix is included in stable kernel updates. The commit referenced in [1] frees sb->s_fs_info in hfsplus_kill_super() to prevent the leak. Users should apply the latest stable kernel updates to mitigate this vulnerability.

References
  1. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.