CVE-2025-40237
- Source
- https://cve.org/CVERecord?id=CVE-2025-40237
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40237.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-40237
- Aliases
- Downstream
- Published
- 2025-12-04T15:31:27.325Z
- Modified
- 2026-02-09T18:11:36.326677Z
- Summary
- fs/notify: call exportfs_encode_fid with s_umount
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
fs/notify: call exportfsencodefid with s_umount
Calling intotifyshowfdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr.
This issue was found by syzkaller.
Race Condition Diagram:
Thread 1 Thread 2 -------- --------
genericshutdownsuper() shrinkdcacheforumount sb->sroot = NULL
| | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | vfsnotifysbdelete(sb)
Which then leads to:
[ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none)
<snip registers, unreliable trace>
[ 32.143353] Call Trace: [ 32.143732] ovlencodefh+0xd5/0x170 [ 32.144031] exportfsencodeinodefh+0x12f/0x300 [ 32.144425] showmarkfhandle+0xbe/0x1f0 [ 32.145805] inotifyfdinfo+0x226/0x2d0 [ 32.146442] inotifyshowfdinfo+0x1c5/0x350 [ 32.147168] seqshow+0x530/0x6f0 [ 32.147449] seqreaditer+0x503/0x12a0 [ 32.148419] seqread+0x31f/0x410 [ 32.150714] vfsread+0x1f0/0x9e0 [ 32.152297] ksysread+0x125/0x240
IOW ovlcheckencodeorigin derefs inode->isb->s_root, after it was set to NULL in the unmount path.
Fix it by protecting calling exportfsencodefid() from showmarkfhandle() with s_umount lock.
This form of fix was suggested by Amir in [1].
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40237.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/3f307a9f7a7a2822e38ac451b73e2244e7279496
- https://git.kernel.org/stable/c/950b604384fd75d62e860bec7135b2b62eb4d508
- https://git.kernel.org/stable/c/a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a
- https://git.kernel.org/stable/c/bc1c6b803e14ea2b8f7e33b7164013f666ceb656
- https://git.kernel.org/stable/c/d1894bc542becb0fda61e7e513b09523cab44030
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40237.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40237
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda1a541fbfa7e97c1100144db34b57553d7164ce5Fixed950b604384fd75d62e860bec7135b2b62eb4d508
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedf0c0ac84de17c37e6e84da65fb920f91dada55adFixedbc1c6b803e14ea2b8f7e33b7164013f666ceb656
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3c7c90274ae339e1ad443c9be1c67a20b80b9c76Fixed3f307a9f7a7a2822e38ac451b73e2244e7279496
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc45beebfde34aa71afbc48b2c54cdda623515037Fixedd1894bc542becb0fda61e7e513b09523cab44030Fixeda7c4bb43bfdc2b9f06ee9d036028ed13a83df42a