CVE-2025-38627

{"id": "CVE-2025-38627", "cveTags": [], "metrics": {}, "published": "2025-08-22T16:15:36.337", "references": [{"url": "https://git.kernel.org/stable/c/39868685c2a94a70762bc6d77dc81d781d05bff5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic\n\nThe decompress_io_ctx may be released asynchronously after\nI/O completion. If this file is deleted immediately after read,\nand the kworker of processing post_read_wq has not been executed yet\ndue to high workloads, It is possible that the inode(f2fs_inode_info)\nis evicted and freed before it is used f2fs_free_dic.\n\n The UAF case as below:\n Thread A Thread B\n - f2fs_decompress_end_io\n - f2fs_put_dic\n - queue_work\n add free_dic work to post_read_wq\n - do_unlink\n - iput\n - evict\n - call_rcu\n This file is deleted after read.\n\n Thread C kworker to process post_read_wq\n - rcu_do_batch\n - f2fs_free_inode\n - kmem_cache_free\n inode is freed by rcu\n - process_scheduled_works\n - f2fs_late_free_dic\n - f2fs_free_dic\n - f2fs_release_decomp_mem\n read (dic->inode)->i_compress_algorithm\n\nThis patch store compress_algorithm and sbi in dic to avoid inode UAF.\n\nIn addition, the previous solution is deprecated in [1] may cause system hang.\n[1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org"}], "lastModified": "2025-08-22T18:08:51.663", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}