CVE-2025-38579

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-38579
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38579.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38579
Downstream
Related
Published
2025-08-19T17:03:02.308Z
Modified
2026-03-09T23:51:37.471826Z
Summary
f2fs: fix KMSAN uninit-value in extent_info usage
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix KMSAN uninit-value in extent_info usage

KMSAN reported a use of uninitialized value in __is_extent_mergeable() and __is_back_mergeable() via the read extent tree path.

The root cause is that get_read_extent_info() only initializes three fields (fofs, blk, len) of struct extent_info, leaving the remaining fields uninitialized. This leads to undefined behavior when those fields are accessed later, especially during extent merging.

Fix it by zero-initializing the extent_info struct before population.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38579.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
94afd6d6e5253179c9b891d02081cc8355a11768
Fixed
08e8ab00a6d20d5544c932ee85a297d833895141
Fixed
e68b751ec2b15d866967812c57cfdfc1eba6a269
Fixed
dabfa3952c8e6bfe6414dbf32e8b6c5f349dc898
Fixed
44a79437309e0ee2276ac17aaedc71253af253a8
Fixed
cc1615d5aba4f396cf412579928539a2b124c8a0
Fixed
01b6f5955e0008af6bc3a181310d2744bb349800
Fixed
154467f4ad033473e5c903a03e7b9bca7df9a0fa

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38579.json"