CVE-2025-38652

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid out-of-boundary access in devs.path

touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123
truncate -s $((102410241024))
/mnt/f2fs/012345678901234567890123456789012345678901234567890123
touch /mnt/f2fs/file
truncate -s $((102410241024)) /mnt/f2fs/file
mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123
-c /mnt/f2fs/file
mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123
/mnt/f2fs/loop

[16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\xff\x01, 511, 0 - 3ffff [16937.192268] F2FS-fs (loop0): Failed to find devices

If device path length equals to MAX_PATH_LEN, sbi->devs.path[] may not end up w/ null character due to path array is fully filled, So accidently, fields locate after path[] may be treated as part of device path, result in parsing wrong device path.

struct f2fs_dev_info { ... char path[MAX_PATH_LEN]; ... };

Let's add one byte space for sbi->devs.path[] to store null character of device path string.

Published: Aug 22, 2025
Updated: Jan 8, 2026
CVE: CVE-2025-38652
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.1
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWEs:

CWE-125

Affected Software
References

Software	From	Fixed in
linux / linux_kernel	4.10	5.4.297
linux / linux_kernel	5.5	5.10.241
linux / linux_kernel	5.11	5.15.190
linux / linux_kernel	5.16	6.1.148
linux / linux_kernel	6.2	6.6.102
linux / linux_kernel	6.7	6.12.42
linux / linux_kernel	6.13	6.15.10
linux / linux_kernel	6.16	6.16.1
debian / debian_linux	11.0	11.0.x

Vulnerability Database

318,756

CVE-2025-38652

Deep Security Visibility Without the Complexity