{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-11T04:37:37.367","vulnerabilities":[{"cve":{"id":"CVE-2025-38627","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-08-22T16:15:36.337","lastModified":"2026-06-01T17:16:35.667","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic\n\nThe decompress_io_ctx may be released asynchronously after\nI/O completion. If this file is deleted immediately after read,\nand the kworker of processing post_read_wq has not been executed yet\ndue to high workloads, It is possible that the inode(f2fs_inode_info)\nis evicted and freed before it is used f2fs_free_dic.\n\n    The UAF case as below:\n    Thread A                                      Thread B\n    - f2fs_decompress_end_io\n     - f2fs_put_dic\n      - queue_work\n        add free_dic work to post_read_wq\n                                                   - do_unlink\n                                                    - iput\n                                                     - evict\n                                                      - call_rcu\n    This file is deleted after read.\n\n    Thread C                                 kworker to process post_read_wq\n    - rcu_do_batch\n     - f2fs_free_inode\n      - kmem_cache_free\n     inode is freed by rcu\n                                             - process_scheduled_works\n                                              - f2fs_late_free_dic\n                                               - f2fs_free_dic\n                                                - f2fs_release_decomp_mem\n                                      read (dic->inode)->i_compress_algorithm\n\nThis patch store compress_algorithm and sbi in dic to avoid inode UAF.\n\nIn addition, the previous solution is deprecated in [1] may cause system hang.\n[1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: compress: fix UAF de f2fs_inode_info en f2fs_free_dic El decompress_io_ctx puede liberarse de forma asíncrona tras la finalización de la E/S. Si este archivo se elimina inmediatamente después de la lectura, y el kworker del procesamiento de post_read_wq aún no se ha ejecutado debido a las altas cargas de trabajo, es posible que el inodo (f2fs_inode_info) se desaloje y se libere antes de que se use f2fs_free_dic. El caso de UAF como se muestra a continuación: Hilo A Hilo B - f2fs_decompress_end_io - f2fs_put_dic - queue_work añadir trabajo free_dic a post_read_wq - do_unlink - iput - evict - call_rcu Este archivo se elimina tras la lectura. Hilo C kworker para procesar post_read_wq - rcu_do_batch - f2fs_free_inode - kmem_cache_free inodo liberado por rcu - process_scheduled_works - f2fs_late_free_dic - f2fs_free_dic - f2fs_release_decomp_mem lectura (dic->inode)->i_compress_algorithm). Este parche almacena compress_algorithm y sbi en dic para evitar el UAF del inodo. Además, la solución anterior está obsoleta en [1] y puede causar un bloqueo del sistema. [1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.16.1","matchCriteriaId":"3AF1532A-8F0C-4D73-8D9F-3580F2A8F834"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/39868685c2a94a70762bc6d77dc81d781d05bff5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5d604d40cd3232b09cb339941ef958e49283ed0a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/74cbeeca4f16823ba58c882e1d8b836c0e39c93d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cc81768212cdc509e5a986274db7bc24d18cde19","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}]}