CVE-2025-21722
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's nilfs2 filesystem driver allows local attackers to potentially crash the system or execute arbitrary code. This occurs when the filesystem detects corruption and falls back to read-only mode, causing buffer state inconsistencies. Systems using the nilfs2 filesystem are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to kernel-level code execution, leading to complete system compromise.
Likely Case
Kernel panic or system crash causing denial of service.
If Mitigated
Limited impact if nilfs2 filesystem is not mounted or SELinux/AppArmor restricts access.
🎯 Exploit Status
Requires local access and ability to trigger nilfs2 corruption detection. No public exploits known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel branches (commits: 1098bb8d52419d262a3358d099a1598a920b730f, 19296737024cd220a1d6590bf4c092bca8c99497, etc.)
Vendor Advisory: https://git.kernel.org/stable/c/1098bb8d52419d262a3358d099a1598a920b730f
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable nilfs2 mounting
LinuxPrevent nilfs2 filesystem from being mounted to eliminate attack surface.
echo 'install nilfs2 /bin/true' >> /etc/modprobe.d/disable-nilfs2.conf
rmmod nilfs2 2>/dev/null || true
🧯 If You Can't Patch
- Ensure nilfs2 filesystem is not mounted on any system partitions.
- Implement strict access controls to limit who can mount filesystems or trigger filesystem operations.
🔍 How to Verify
Check if Vulnerable:
Check if nilfs2 module is loaded: lsmod | grep nilfs2. Check kernel version against patched releases.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes patched commits. Check /proc/version or uname -r against distribution security updates.📡 Detection & Monitoring
Log Indicators:
- Kernel warnings about 'mark_buffer_dirty' or 'nilfs_btree_propagate'
- System crashes or kernel panics when using nilfs2
- Read-only fallback messages for nilfs2 filesystem
Network Indicators:
- None - this is a local filesystem vulnerability
SIEM Query:
source="kernel" AND ("mark_buffer_dirty" OR "nilfs_btree_propagate" OR "nilfs2")🔗 References
- https://git.kernel.org/stable/c/1098bb8d52419d262a3358d099a1598a920b730f
- https://git.kernel.org/stable/c/19296737024cd220a1d6590bf4c092bca8c99497
- https://git.kernel.org/stable/c/4d042811c72f71be7c14726db2c72b67025a7cb5
- https://git.kernel.org/stable/c/557ccf5e49f1fb848a29698585bcab2e50a597ef
- https://git.kernel.org/stable/c/7d0544bacc11d6aa26ecd7debf9353193c7a3328
- https://git.kernel.org/stable/c/ca76bb226bf47ff04c782cacbd299f12ddee1ec1
- https://git.kernel.org/stable/c/f51ff43c4c5a6c8e72d0aca89e4d5e688938412f
- https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
