CVE-2025-38276
📋 TL;DR
A race condition vulnerability in the Linux kernel's DAX (Direct Access) filesystem implementation can cause system instability or crashes when performing truncate operations on XFS filesystems with DAX enabled. The bug occurs when waiting for locked entries during scanning, causing entries to be skipped and leading to inconsistent state. This affects systems using XFS with DAX enabled.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
System crash or kernel panic leading to denial of service and potential data corruption on affected filesystems.
Likely Case
Intermittent system instability, kernel warnings, and potential filesystem corruption during truncate operations on DAX-enabled XFS.
If Mitigated
Minor performance impact or occasional warnings in kernel logs without system compromise.
🎯 Exploit Status
Exploitation requires specific filesystem operations on DAX-enabled XFS. More likely to cause instability than privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in stable kernel releases via commits 61009dd2252ab4391d44a240e891f1e04c00b9ca and dd59137bfe70cf3646021b4721e430213b9c71bd
Vendor Advisory: https://git.kernel.org/stable/c/61009dd2252ab4391d44a240e891f1e04c00b9ca
Restart Required: Yes
Instructions:
1. Update to a kernel version containing the fix. 2. Check your distribution's security advisories. 3. Reboot to load the new kernel.
🔧 Temporary Workarounds
Disable DAX on XFS filesystems
linuxDisable Direct Access (DAX) feature on XFS filesystems to avoid the vulnerable code path
mount -o remount,nodax /mount/point
Add 'nodax' to /etc/fstab mount options for XFS partitions
🧯 If You Can't Patch
- Avoid truncate operations on DAX-enabled XFS filesystems
- Monitor system logs for the specific warning messages and restart affected services if warnings appear
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if XFS with DAX is in use: uname -r and check /proc/mounts for XFS with 'dax' optionCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is newer than affected range and test with xfstests generic/068 on DAX-enabled XFS📡 Detection & Monitoring
Log Indicators:
- Kernel warnings containing 'truncate_folio_batch_exceptionals' or similar stack traces
- System logs showing filesystem errors on XFS with DAX
Network Indicators:
- None - this is a local filesystem issue
SIEM Query:
kernel_warning:"truncate_folio_batch_exceptionals" OR filesystem_error:"XFS" AND "DAX"