CVE-2025-38579

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified)

Description: The Linux kernel contained a flaw within the f2fs file system related to uninitialized values in the extent info structure. Specifically, the get read extent info() function only initialized a subset of fields within the struct extent info, leaving others uninitialized. This resulted in undefined behavior when these uninitialized fields were accessed during extent merging operations, as reported by KMSAN when analyzing the is extent mergeable() and is back mergeable() functions. The issue was addressed by zero-initializing the entire extent info structure before populating it.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

Use of Uninitialized Resource

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-908

Related Identifiers

BDU:2025-15175

CVE-2025-38579

DLA-4328-1

ECHO-FF95-6B30-80B8

MGASA-2025-0234

MGASA-2025-0235

USN-7879-1

USN-7879-2

USN-7879-3

USN-7879-4

USN-7880-1

USN-7909-1

USN-7909-2

USN-7909-3

USN-7909-4

USN-7909-5

USN-7910-1

USN-7910-2

USN-7933-1

USN-7934-1

USN-7938-1

USN-8028-1

USN-8028-2

USN-8028-3

USN-8028-4

USN-8028-5

USN-8028-6

USN-8028-7

USN-8028-8

USN-8031-1

USN-8031-2

USN-8031-3

USN-8052-1

USN-8052-2

USN-8074-1

USN-8074-2

USN-8126-1

Affected Products

Astra Linux

Debian

Linuxmint

Linux Kernel

Red Os

Ubuntu

CVE-2025-38579

Weakness Enumeration

Related Identifiers

Affected Products

References · 1361