CVE-2025-38218 – A vulnerability in the Linux kernel's F2FS file... (How to Fix)

Q: What is the severity of CVE-2025-38218?

CVE-2025-38218 has a CVSS score of 5.5 (MEDIUM). A vulnerability in the Linux kernel's F2FS filesystem allows attackers to trigger a kernel panic (denial of service) by mounting a specially crafted corrupted F2FS image. This affects systems using F2FS filesystems, particularly those that process untrusted filesystem images. The vulnerability occurs due to insufficient sanity checking of sit_bitmap_size metadata.

📋 TL;DR

A vulnerability in the Linux kernel's F2FS filesystem allows attackers to trigger a kernel panic (denial of service) by mounting a specially crafted corrupted F2FS image. This affects systems using F2FS filesystems, particularly those that process untrusted filesystem images. The vulnerability occurs due to insufficient sanity checking of sit_bitmap_size metadata.

💻 Affected Systems

Products:

Linux kernel with F2FS support

Versions: Linux kernel versions before fixes in stable releases (specific versions in git commits provided)

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with F2FS filesystem support compiled into kernel or loaded as module, and when mounting F2FS images.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.

🟠

Likely Case

Local denial of service when mounting a malicious F2FS image, requiring system reboot to recover.

🟢

If Mitigated

No impact if systems don't mount untrusted F2FS images or have patched kernels.

🌐 Internet-Facing: LOW - Requires local access or ability to mount filesystem images, not directly network exploitable.

🏢 Internal Only: MEDIUM - Could be exploited by malicious insiders or through compromised accounts to cause system crashes.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM - Requires ability to create/mount F2FS images and local access.

Exploitation requires creating a specially crafted F2FS image and mounting it, which typically requires local user privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in Linux kernel stable releases via commits: 38ef48a8afef8df646b6f6ae7abb872f18b533c1, 3e5ac62a56a24f4d88ce8ffd7bc452428b235868, 5db0d252c64e91ba1929c70112352e85dc5751e7, 79ef8a6c4ec53d327580fd7d2b522cf4f1d05b0c, 82f51bff393e4c12cf4de553120ca831cfa4ef19

Vendor Advisory: https://git.kernel.org/stable/c/38ef48a8afef8df646b6f6ae7abb872f18b533c1

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing fixes. 2. Check distribution security advisories. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable F2FS module

linux

Prevent loading of F2FS kernel module to mitigate vulnerability

echo 'install f2fs /bin/true' >> /etc/modprobe.d/disable-f2fs.conf
rmmod f2fs

Restrict mount permissions

linux

Limit who can mount filesystems using sudoers or other access controls

# In /etc/sudoers or sudoers.d file:
# Remove mount privileges for non-admin users

🧯 If You Can't Patch

Restrict local user access to prevent mounting of untrusted filesystem images
Implement monitoring for mount operations and kernel panic events

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if F2FS is loaded: uname -r && lsmod | grep f2fs

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated and check git commit history for fix inclusion

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages mentioning f2fs_ra_meta_pages
Mount failures of F2FS images
System crash/reboot events

Network Indicators:

None - local exploitation only

SIEM Query:

event_type:kernel_panic AND message:"f2fs" OR event_type:mount AND filesystem:"f2fs"

📊 Metadata

CVE ID: CVE-2025-38218

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score: 0.03% exploit probability (8.7th percentile)

Published: July 4, 2025

Last Updated: December 18, 2025

🔗 References

https://git.kernel.org/stable/c/38ef48a8afef8df646b6f6ae7abb872f18b533c1 Patch
https://git.kernel.org/stable/c/3e5ac62a56a24f4d88ce8ffd7bc452428b235868 Patch
https://git.kernel.org/stable/c/5db0d252c64e91ba1929c70112352e85dc5751e7 Patch
https://git.kernel.org/stable/c/79ef8a6c4ec53d327580fd7d2b522cf4f1d05b0c Patch
https://git.kernel.org/stable/c/82f51bff393e4c12cf4de553120ca831cfa4ef19 Patch
https://git.kernel.org/stable/c/ad862f71016ba38039df1c96ed55c0a4314cc183 Patch
https://git.kernel.org/stable/c/ee1b421c469876544e297ec1090574bd76100247 Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory,Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory,Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON