CVE-2025-40137

CVSS v2.0

5.5

Medium

Vector

AV:L/AC:H/Au:S/C:C/I:N/A:C

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains a flaw within the f2fs file system related to handling page cache during inode destruction. Specifically, the issue arises in the f2fs truncate() function where page #0 might be created in the cache but not properly dropped in error scenarios, leading to inconsistencies detected by clear inode(). This can result in a kernel bug and potential filesystem corruption. The issue was identified through syzbot testing, which reported errors related to SSA boundaries, invalid CRC values, and corrupted inline inodes. The vulnerability occurs during the f2fs evict inode() process, specifically within the f2fs truncate() function, f2fs convert inline inode(), and f2fs grab cache folio().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835

Related Identifiers

BDU:2025-16146

CVE-2025-40137

ECHO-0781-4B37-C9BF

USN-8029-1

USN-8029-2

USN-8029-3

USN-8030-1

USN-8048-1

USN-8095-1

USN-8095-2

USN-8095-3

USN-8095-4

USN-8095-5

USN-8100-1

USN-8125-1

USN-8126-1

USN-8165-1

USN-8261-1

Affected Products

Debian

Linuxmint

Linux Kernel

Ubuntu

CVE-2025-40137

Weakness Enumeration

Related Identifiers

Affected Products

References · 1572