CVE-2025-38626 (GCVE-0-2025-38626)

Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2026-06-01 16:05
VLAI
Title
f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode
Summary
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode w/ "mode=lfs" mount option, generic/299 will cause system panic as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/segment.c:2835! Call Trace: <TASK> f2fs_allocate_data_block+0x6f4/0xc50 f2fs_map_blocks+0x970/0x1550 f2fs_iomap_begin+0xb2/0x1e0 iomap_iter+0x1d6/0x430 __iomap_dio_rw+0x208/0x9a0 f2fs_file_write_iter+0x6b3/0xfa0 aio_write+0x15d/0x2e0 io_submit_one+0x55e/0xab0 __x64_sys_io_submit+0xa5/0x230 do_syscall_64+0x84/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0010:new_curseg+0x70f/0x720 The root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may trigger foreground gc only if it allocates any physical block, it will be a little bit later when there is multiple threads writing data w/ aio/dio/bufio method in parallel, since we always use OPU in lfs mode, so f2fs_map_blocks() does block allocations aggressively. In order to fix this issue, let's give a chance to trigger foreground gc in prior to block allocation in f2fs_map_blocks().
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < c737047f4665232d1e26b3620bc62df334545451 (git)
Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < d2f280f43a2a9d918fd23169ff3a6f3b65c7cec5 (git)
Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < f289690f50a01c3e085d87853392d5b7436a4cee (git)
Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < 82765ce5c7a56f9309ee45328e763610eaf11253 (git)
Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < 264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5 (git)
Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < 385e64a0744584397b4b52b27c96703516f39968 (git)
Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < 1005a3ca28e90c7a64fa43023f866b960a60f791 (git)
Create a notification for this product.
Linux Linux Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.15.209 , ≤ 5.15.* (semver)
Unaffected: 6.1.167 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c737047f4665232d1e26b3620bc62df334545451",
              "status": "affected",
              "version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
              "versionType": "git"
            },
            {
              "lessThan": "d2f280f43a2a9d918fd23169ff3a6f3b65c7cec5",
              "status": "affected",
              "version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
              "versionType": "git"
            },
            {
              "lessThan": "f289690f50a01c3e085d87853392d5b7436a4cee",
              "status": "affected",
              "version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
              "versionType": "git"
            },
            {
              "lessThan": "82765ce5c7a56f9309ee45328e763610eaf11253",
              "status": "affected",
              "version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
              "versionType": "git"
            },
            {
              "lessThan": "264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5",
              "status": "affected",
              "version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
              "versionType": "git"
            },
            {
              "lessThan": "385e64a0744584397b4b52b27c96703516f39968",
              "status": "affected",
              "version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
              "versionType": "git"
            },
            {
              "lessThan": "1005a3ca28e90c7a64fa43023f866b960a60f791",
              "status": "affected",
              "version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode\n\nw/ \"mode=lfs\" mount option, generic/299 will cause system panic as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.c:2835!\nCall Trace:\n \u003cTASK\u003e\n f2fs_allocate_data_block+0x6f4/0xc50\n f2fs_map_blocks+0x970/0x1550\n f2fs_iomap_begin+0xb2/0x1e0\n iomap_iter+0x1d6/0x430\n __iomap_dio_rw+0x208/0x9a0\n f2fs_file_write_iter+0x6b3/0xfa0\n aio_write+0x15d/0x2e0\n io_submit_one+0x55e/0xab0\n __x64_sys_io_submit+0xa5/0x230\n do_syscall_64+0x84/0x2f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0010:new_curseg+0x70f/0x720\n\nThe root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may\ntrigger foreground gc only if it allocates any physical block, it will be\na little bit later when there is multiple threads writing data w/\naio/dio/bufio method in parallel, since we always use OPU in lfs mode, so\nf2fs_map_blocks() does block allocations aggressively.\n\nIn order to fix this issue, let\u0027s give a chance to trigger foreground\ngc in prior to block allocation in f2fs_map_blocks()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-01T16:05:25.352Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c737047f4665232d1e26b3620bc62df334545451"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2f280f43a2a9d918fd23169ff3a6f3b65c7cec5"
        },
        {
          "url": "https://git.kernel.org/stable/c/f289690f50a01c3e085d87853392d5b7436a4cee"
        },
        {
          "url": "https://git.kernel.org/stable/c/82765ce5c7a56f9309ee45328e763610eaf11253"
        },
        {
          "url": "https://git.kernel.org/stable/c/264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/385e64a0744584397b4b52b27c96703516f39968"
        },
        {
          "url": "https://git.kernel.org/stable/c/1005a3ca28e90c7a64fa43023f866b960a60f791"
        }
      ],
      "title": "f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38626",
    "datePublished": "2025-08-22T16:00:34.867Z",
    "dateReserved": "2025-04-16T04:51:24.029Z",
    "dateUpdated": "2026-06-01T16:05:25.352Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-38626",
      "date": "2026-06-09",
      "epss": "0.00024",
      "percentile": "0.06859"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38626\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-22T16:15:36.193\",\"lastModified\":\"2026-06-01T17:16:35.500\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode\\n\\nw/ \\\"mode=lfs\\\" mount option, generic/299 will cause system panic as below:\\n\\n------------[ cut here ]------------\\nkernel BUG at fs/f2fs/segment.c:2835!\\nCall Trace:\\n \u003cTASK\u003e\\n f2fs_allocate_data_block+0x6f4/0xc50\\n f2fs_map_blocks+0x970/0x1550\\n f2fs_iomap_begin+0xb2/0x1e0\\n iomap_iter+0x1d6/0x430\\n __iomap_dio_rw+0x208/0x9a0\\n f2fs_file_write_iter+0x6b3/0xfa0\\n aio_write+0x15d/0x2e0\\n io_submit_one+0x55e/0xab0\\n __x64_sys_io_submit+0xa5/0x230\\n do_syscall_64+0x84/0x2f0\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\nRIP: 0010:new_curseg+0x70f/0x720\\n\\nThe root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may\\ntrigger foreground gc only if it allocates any physical block, it will be\\na little bit later when there is multiple threads writing data w/\\naio/dio/bufio method in parallel, since we always use OPU in lfs mode, so\\nf2fs_map_blocks() does block allocations aggressively.\\n\\nIn order to fix this issue, let\u0027s give a chance to trigger foreground\\ngc in prior to block allocation in f2fs_map_blocks().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: correcci\u00f3n para activar el gc de primer plano durante f2fs_map_blocks() en modo lfs con la opci\u00f3n de montaje \\\"mode=lfs\\\", generic/299 provocar\u00e1 p\u00e1nico en el sistema como se muestra a continuaci\u00f3n: ------------[ cortar aqu\u00ed ]------------ \u00a1ERROR del kernel en fs/f2fs/segment.c:2835! Rastreo de llamadas:  f2fs_allocate_data_block+0x6f4/0xc50 f2fs_map_blocks+0x970/0x1550 f2fs_iomap_begin+0xb2/0x1e0 iomap_iter+0x1d6/0x430 __iomap_dio_rw+0x208/0x9a0 f2fs_file_write_iter+0x6b3/0xfa0 aio_write+0x15d/0x2e0 io_submit_one+0x55e/0xab0 __x64_sys_io_submit+0xa5/0x230 do_syscall_64+0x84/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0010:new_curseg+0x70f/0x720 La causa principal de la falta de espacio es que, en f2fs_map_blocks(), f2fs puede activar el recolector de basura en primer plano solo si asigna alg\u00fan bloque f\u00edsico. Esto ocurrir\u00e1 un poco m\u00e1s tarde, cuando varios subprocesos escriban datos con el m\u00e9todo aio/dio/bufio en paralelo. Dado que siempre usamos OPU en modo lfs, f2fs_map_blocks() realiza asignaciones de bloques de forma agresiva. Para solucionar este problema, permitamos que el recolector de basura en primer plano se active antes de la asignaci\u00f3n de bloques en f2fs_map_blocks().\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.8\",\"versionEndExcluding\":\"6.6.102\",\"matchCriteriaId\":\"DA9CAA58-80C7-48D4-A774-66C1C7B0CA0A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.42\",\"matchCriteriaId\":\"EA7AA5E6-4376-4A85-A021-6ACC5FF801C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.15.10\",\"matchCriteriaId\":\"5890C690-B295-40C2-9121-FF5F987E5142\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.16\",\"versionEndExcluding\":\"6.16.1\",\"matchCriteriaId\":\"58182352-D7DF-4CC9-841E-03C1D852C3FB\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1005a3ca28e90c7a64fa43023f866b960a60f791\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/385e64a0744584397b4b52b27c96703516f39968\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/82765ce5c7a56f9309ee45328e763610eaf11253\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c737047f4665232d1e26b3620bc62df334545451\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d2f280f43a2a9d918fd23169ff3a6f3b65c7cec5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f289690f50a01c3e085d87853392d5b7436a4cee\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.