CVE & CISA-KEV Catalog

CVE-2025-40025

MEDIUM
6.1
CVSS v3
NVD

Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on node footer for non inode dnode As syzbot reported below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/file.c:1243! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full) RIP: 0010:f2fs_truncate_hole+0x69e/0x6c0 fs/f2fs/file.c:1243 Call Trace: <TASK> f2fs_punch_hole+0x2db/0x330 fs/f2fs/file.c:1306 f2fs_fallocate+0x546/0x990 fs/f2fs/file.c:2018 vfs_fallocate+0x666/0x7e0 fs/open.c:342 ksys_fallocate fs/open.c:366 [inline] __do_sys_fallocate fs/open.c:371 [inline] __se_sys_fallocate fs/open.c:369 [inline] __x64_sys_fallocate+0xc0/0x110 fs/open.c:369 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f1e65f8ebe9 w/ a fuzzed image, f2fs may encounter panic due to it detects inconsistent truncation range in direct node in f2fs_truncate_hole(). The root cause is: a non-inode dnode may has the same footer.ino and footer.nid, so the dnode will be parsed as an inode, then ADDRS_PER_PAGE() may return wrong blkaddr count which may be 923 typically, by chance, dn.ofs_in_node is equal to 923, then count can be calculated to 0 in below statement, later it will trigger panic w/ f2fs_bug_on(, count == 0 || ...). count = min(end_offset - dn.ofs_in_node, pg_end - pg_start); This patch introduces a new node_type NODE_TYPE_NON_INODE, then allowing passing the new_type to sanity_check_node_footer in f2fs_get_node_folio() to detect corruption that a non-inode dnode has the same footer.ino and footer.nid. Scripts to reproduce: mkfs.f2fs -f /dev/vdb mount /dev/vdb /mnt/f2fs touch /mnt/f2fs/foo touch /mnt/f2fs/bar dd if=/dev/zero of=/mnt/f2fs/foo bs=1M count=8 umount /mnt/f2fs inject.f2fs --node --mb i_nid --nid 4 --idx 0 --val 5 /dev/vdb mount /dev/vdb /mnt/f2fs xfs_io /mnt/f2fs/foo -c "fpunch 6984k 4k"

How to fix

Remediation Available
linuxDebian
Fixed in:6.17.6-1CVE-2025-40025
linuxUbuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-awsUbuntu
Fixed in:6.17.0-1004.4USN-7906-1
linux-gcpUbuntu
Fixed in:6.17.0-1004.4USN-7906-2
linux-image-6.17.0-1003-realtimeUbuntu
Fixed in:6.17.0-1003.4USN-7906-1
linux-image-6.17.0-1004-awsUbuntu
Fixed in:6.17.0-1004.4USN-7906-1
linux-image-6.17.0-1004-aws-64kUbuntu
Fixed in:6.17.0-1004.4USN-7906-1
linux-image-6.17.0-1004-gcpUbuntu
Fixed in:6.17.0-1004.4USN-7906-2
linux-image-6.17.0-1004-gcp-64kUbuntu
Fixed in:6.17.0-1004.4USN-7906-2
linux-image-6.17.0-1005-raspiUbuntu
Fixed in:6.17.0-1005.5USN-7906-3
linux-image-6.17.0-7-genericUbuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-image-6.17.0-7-generic-64kUbuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-image-awsUbuntu
Fixed in:6.17.0-1004.4USN-7906-1
linux-image-aws-6.17Ubuntu
Fixed in:6.17.0-1004.4USN-7906-1
linux-image-aws-64kUbuntu
Fixed in:6.17.0-1004.4USN-7906-1
linux-image-aws-64k-6.17Ubuntu
Fixed in:6.17.0-1004.4USN-7906-1
linux-image-gcpUbuntu
Fixed in:6.17.0-1004.4USN-7906-2
linux-image-gcp-6.17Ubuntu
Fixed in:6.17.0-1004.4USN-7906-2
linux-image-gcp-64kUbuntu
Fixed in:6.17.0-1004.4USN-7906-2
linux-image-gcp-64k-6.17Ubuntu
Fixed in:6.17.0-1004.4USN-7906-2
linux-image-genericUbuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-image-generic-6.17Ubuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-image-generic-64kUbuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-image-generic-64k-6.17Ubuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-image-generic-64k-hwe-24.04Ubuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-image-generic-hwe-24.04Ubuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-image-oem-24.04Ubuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-image-oem-24.04cUbuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-image-raspiUbuntu
Fixed in:6.17.0-1005.5USN-7906-3
linux-image-raspi-6.17Ubuntu
Fixed in:6.17.0-1005.5USN-7906-3
linux-image-realtimeUbuntu
Fixed in:6.17.0-1003.4USN-7906-1
linux-image-realtime-6.17Ubuntu
Fixed in:6.17.0-1003.4USN-7906-1
linux-image-realtime-hwe-24.04Ubuntu
Fixed in:6.17.0-1003.4USN-7906-1
linux-image-virtualUbuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-image-virtual-6.17Ubuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-image-virtual-hwe-24.04Ubuntu
Fixed in:6.17.0-7.7USN-7906-1
linux-raspiUbuntu
Fixed in:6.17.0-1005.5USN-7906-3
linux-realtimeUbuntu
Fixed in:6.17.0-1003.4USN-7906-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityNone
IntegrityLow
AvailabilityHigh

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H/E:U

Exploit Intelligence

0.17%probability of exploitation in 30 days
6thpercentile

Low risk: more likely to be exploited than 6% of all known CVEs.

References

Embed a live status badge for CVE-2025-40025
CVE-2025-40025 severity badge

Markdown

[![CVE-2025-40025](https://tridentstack.com/cve/badge/CVE-2025-40025.svg)](https://tridentstack.com/cve/CVE-2025-40025)

HTML

<a href="https://tridentstack.com/cve/CVE-2025-40025"><img src="https://tridentstack.com/cve/badge/CVE-2025-40025.svg" alt="CVE-2025-40025"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-10-30.