CVE-2025-38652

f2fs: fix to avoid out-of-boundary access in devs.path

Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-boundary access in devs.path - touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123 - truncate -s $((1024*1024*1024)) \ /mnt/f2fs/012345678901234567890123456789012345678901234567890123 - touch /mnt/f2fs/file - truncate -s $((1024*1024*1024)) /mnt/f2fs/file - mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \ -c /mnt/f2fs/file - mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \ /mnt/f2fs/loop [16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\xff\x01, 511, 0 - 3ffff [16937.192268] F2FS-fs (loop0): Failed to find devices If device path length equals to MAX_PATH_LEN, sbi->devs.path[] may not end up w/ null character due to path array is fully filled, So accidently, fields locate after path[] may be treated as part of device path, result in parsing wrong device path. struct f2fs_dev_info { ... char path[MAX_PATH_LEN]; ... }; Let's add one byte space for sbi->devs.path[] to store null character of device path string.

N/A
CVSS
Severity:
EPSS 0.03%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/dc0172c74bd9edaee7bea2ebb35f3dbd37a8ae80
https://git.kernel.org/stable/c/1cf1ff15f262e8baf12201b270b6a79f9d119b2d
https://git.kernel.org/stable/c/666b7cf6ac9aa074b8319a2b68cba7f2c30023f0
https://git.kernel.org/stable/c/3466721f06edff834f99d9f49f23eabc6b2cb78e
https://git.kernel.org/stable/c/345fc8d1838f3f8be7c8ed08d86a13dedef67136
https://git.kernel.org/stable/c/70849d33130a2cf1d6010069ed200669c8651fbd
https://git.kernel.org/stable/c/755427093e4294ac111c3f9e40d53f681a0fbdaa
https://git.kernel.org/stable/c/1b1efa5f0e878745e94a98022e8edc675a87d78e
https://git.kernel.org/stable/c/5661998536af52848cc4d52a377e90368196edea

Frequently Asked Questions

What is the severity of CVE-2025-38652?
CVE-2025-38652 has not yet been assigned a CVSS score.
How to fix CVE-2025-38652?
To fix CVE-2025-38652, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-38652 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-38652 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-38652?
CVE-2025-38652 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.