CVE-2025-38163
📋 TL;DR
This CVE describes a NULL pointer dereference vulnerability in the Linux kernel's F2FS filesystem driver. When processing a specially crafted filesystem image, the kernel can crash due to an inconsistency between the total valid block count and actual mapped blocks, leading to a denial of service. This affects any system using the F2FS filesystem with a vulnerable kernel version.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or corruption if the crash occurs during critical operations.
Likely Case
System crash requiring reboot when a malicious or corrupted F2FS filesystem image is mounted or accessed.
If Mitigated
Limited impact if systems don't use F2FS or have proper input validation for filesystem images.
🎯 Exploit Status
Requires ability to create/mount malicious F2FS filesystem images. Found through fuzzing (syzbot).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 05872a167c2cab80ef186ef23cc34a6776a1a30c and related fixes
Vendor Advisory: https://git.kernel.org/stable/c/05872a167c2cab80ef186ef23cc34a6776a1a30c
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Rebuild kernel if compiling from source with the fix commits. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable F2FS module
linuxPrevent loading of F2FS kernel module if not needed
echo 'blacklist f2fs' > /etc/modprobe.d/f2fs-blacklist.conf
rmmod f2fs
Avoid untrusted F2FS images
allDo not mount F2FS filesystem images from untrusted sources
🧯 If You Can't Patch
- Restrict mount permissions to prevent non-privileged users from mounting filesystems
- Implement strict access controls on directories where F2FS images might be stored
🔍 How to Verify
Check if Vulnerable:
Check if F2FS module is loaded: lsmod | grep f2fs. Check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits. Test with known vulnerable F2FS image if available.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning f2fs
- BUG at fs/f2fs/f2fs.h:2521
- dec_valid_block_count+0x3b2/0x3c0 in stack traces
SIEM Query:
source="kernel" AND ("f2fs" AND ("panic" OR "BUG" OR "Oops"))🔗 References
- https://git.kernel.org/stable/c/05872a167c2cab80ef186ef23cc34a6776a1a30c
- https://git.kernel.org/stable/c/25f3776b58c1c45ad2e50ab4b263505b4d2378ca
- https://git.kernel.org/stable/c/49bc7bf38e42cfa642787e947f5721696ea73ac3
- https://git.kernel.org/stable/c/65b3f76592aed5a43c4d79375ac097acf975972b
- https://git.kernel.org/stable/c/6a324d77f7ea1a91d55c4b6ad970e3ac9ab6a20d
- https://git.kernel.org/stable/c/a39cc43efc1bca74ed9d6cf9e60b995071f7d178
- https://git.kernel.org/stable/c/ccc28c0397f75a3ec9539cceed9db014d7b73869
- https://git.kernel.org/stable/c/f1b743c1955151bd392539b739a3ad155296be13
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
