CVE-2025-71107
CVE-2025-71107 is a medium-severity vulnerability in Linux Linux Kernel with a CVSS 3.x base score of 5.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-476.
Key facts
- Severity: Medium (CVSS 3.x base score 5.5)
- EPSS exploit prediction: 0% (5th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-2502
- Weakness: CWE-476
- Affected product: Linux Linux Kernel
- Published:
- Last modified:
Description
In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel BUG at fs/f2fs/super.c:1939! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none) Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:f2fs_put_super+0x3b3/0x3c0 Call Trace: <TASK> generic_shutdown_super+0x7e/0x190 kill_block_super+0x1a/0x40 kill_f2fs_super+0x9d/0x190 deactivate_locked_super+0x30/0xb0 cleanup_mnt+0xba/0x150 task_work_run+0x5c/0xa0 exit_to_user_mode_loop+0xb7/0xc0 do_syscall_64+0x1ae/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> ---[ end trace 0000000000000000 ]--- It appears that sometimes it is possible that f2fs_put_super() is called before all node page reads are completed. Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.
Frequently asked questions
- What is CVE-2025-71107?
- In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel BUG at fs/f2fs/super.c:1939! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none) Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:f2fs_put_super+0x3b3/0x3c0 Call Trace: <TASK> generic_shutdown_super+0x7e/0x190 kill_block_super+0x1a/0x40 kill_f2fs_super+0x9d/0x190 deactivate_locked_super+0x30/0xb0 cleanup_mnt+0xba/0x150 task_work_run+0x5c/0xa0 exit_to_user_mode_loop+0xb7/0xc0 do_syscall_64+0x1ae/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> ---[ end trace 0000000000000000 ]--- It appears that sometimes it is possible that f2fs_put_super() is called before all node page reads are completed. Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.
- How severe is CVE-2025-71107?
- CVE-2025-71107 has a CVSS 3.x base score of 5.5, rated medium severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2025-71107 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (5th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-71107?
- CVE-2025-71107 primarily affects Linux Linux Kernel. In total, 10 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-71107?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-71107 have an EU (EUVD) identifier?
- Yes. CVE-2025-71107 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-2502.
- When was CVE-2025-71107 published?
- CVE-2025-71107 was published on 2026-01-14 and last updated on 2026-06-17.
References
- https://git.kernel.org/stable/c/0b36fae23621a09e772c8adf918b9011158f8511
- https://git.kernel.org/stable/c/297baa4aa263ff8f5b3d246ee16a660d76aa82c4
- https://git.kernel.org/stable/c/3b15d5f12935e9e25f9a571e680716bc9ee61025
- https://git.kernel.org/stable/c/c3031cf2b61f1508662fc95ef9ad505cb0882a5f
Affected products (10)
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.5:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
More vulnerabilities in Linux Linux Kernel
- CVE-2023-2163 — Critical (CVSS 10.0): Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe,…
- CVE-2015-8104 — Critical (CVSS 10.0): The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a…
- CVE-2015-1421 — Critical (CVSS 10.0): Use-after-free vulnerability in the sctp_assoc_update function in net/sctp/associola.c in the Linux kernel before…
- CVE-2014-2523 — Critical (CVSS 10.0): net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly,…
- CVE-2010-2495 — Critical (CVSS 10.0): The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP implementation in the Linux kernel before 2.6.34 does…
- CVE-2010-2521 — Critical (CVSS 10.0): Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before…
All CVEs affecting Linux Linux Kernel →
Other CWE-476 (NULL Pointer Dereference) vulnerabilities
- CVE-2022-36648 — Critical (CVSS 10.0): The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier,…
- CVE-2020-14500 — Critical (CVSS 10.0): Secomea GateManager all versions prior to 9.2c, An attacker can send a negative value and overwrite arbitrary data.
- CVE-2010-2495 — Critical (CVSS 10.0): The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP implementation in the Linux kernel before 2.6.34 does…
- CVE-2026-46195 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building…
- CVE-2026-31657 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by…
- CVE-2026-31436 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor…
Browse all CWE-476 (NULL Pointer Dereference) vulnerabilities →