CVE-2025-68772 Overview
A race condition vulnerability exists in the Linux kernel's f2fs (Flash-Friendly File System) compression subsystem that can lead to a divide-by-zero error during writeback operations. The vulnerability occurs when the compression context is modified while writeback is in progress, causing the f2fs_all_cluster_page_ready() function to perform a division operation using an uninitialized or zero cluster size value.
Critical Impact
This vulnerability can cause a kernel panic (Oops) leading to system crash and denial of service when concurrent filesystem operations trigger the race condition between fsync, setattr, and ioctl operations.
Affected Products
- Linux kernel with f2fs filesystem support
- Systems running kernel version 6.17.0 and potentially earlier versions
- Linux-based systems using f2fs compression features
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-68772 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68772
Vulnerability Analysis
The vulnerability is triggered by a race condition between three concurrent filesystem operations: fsync, setattr, and ioctl. When f2fs_write_cache_pages() is executing on a non-compressed inode, it initializes the cluster context with i_cluster_size = 0. During this operation, if another thread calls f2fs_setflags_common() to enable compression via set_compress_context(), the i_cluster_size is updated to 4 and the FI_COMPRESSED_FILE flag is set on the inode.
Subsequently, when f2fs_all_cluster_page_ready() checks the compression status and finds the file is now marked as compressed, it attempts to perform a modulo operation (pgidx % cc->cluster_size) using the original cluster context which still contains a zero cluster size, resulting in a divide-by-zero kernel panic.
Root Cause
The root cause is the lack of synchronization between the writeback path and compression context modification. The f2fs_inode_info structure's compression-related fields (i_cluster_size and the FI_COMPRESSED_FILE flag) can be modified while writeback operations are in progress, leading to inconsistent state where the code paths make decisions based on stale or partially updated compression metadata.
The kernel Oops occurs at f2fs_all_cluster_page_ready+0x106/0x550 in fs/f2fs/compress.c:857, which performs a division operation using the cluster size without validating that compression context initialization has completed.
Attack Vector
The attack vector requires local access to a system with an f2fs filesystem mounted with compression support. An attacker or a normal user can trigger this vulnerability by:
- Opening a file on an f2fs filesystem that is not compressed
- Initiating a sync operation (fsync) to start writeback
- Concurrently issuing ioctl calls to enable compression on the same file
- The race condition between these operations can cause the kernel to crash
The vulnerability manifests when three concurrent operations race: the fsync path tags pages for writeback with a zero cluster size, while the ioctl path sets the compressed flag and updates the cluster size to 4. When the writeback path then checks f2fs_compressed_file(), it returns true due to the newly set flag, but the modulo operation uses the original zero cluster size, causing the divide error. See the kernel git commits for the complete fix implementation.
Detection Methods for CVE-2025-68772
Indicators of Compromise
- Kernel panic messages containing divide error: 0000 with SMP KASAN PTI indicators
- Stack traces showing f2fs_all_cluster_page_ready in the call chain
- System logs indicating Oops with RIP pointing to fs/f2fs/compress.c:857
- Unexpected system crashes or reboots on systems using f2fs compression
Detection Strategies
- Monitor kernel logs for divide-by-zero errors originating from f2fs compression code paths
- Implement kernel crash dump analysis to identify stack traces matching the vulnerable code path
- Use KASAN (Kernel Address Sanitizer) enabled kernels in development/testing environments to catch race conditions early
- Deploy file integrity monitoring on systems using f2fs to detect unexpected filesystem state changes
Monitoring Recommendations
- Enable kernel crash reporting (kdump/kexec) to capture diagnostic information during kernel panics
- Monitor /var/log/kern.log or dmesg output for f2fs-related errors and warnings
- Implement system stability monitoring to detect unexpected reboots that may indicate exploitation attempts
- Use performance monitoring tools to track f2fs writeback operations and detect anomalous patterns
How to Mitigate CVE-2025-68772
Immediate Actions Required
- Apply the available kernel patches from the Linux kernel stable branches immediately
- Consider temporarily disabling f2fs compression features on production systems until patched
- Restrict access to f2fs ioctl operations to privileged users where possible
- Monitor systems for signs of instability that may indicate exploitation attempts
Patch Information
The fix introduces a new atomic type variable .writeback in the f2fs_inode_info structure to track the number of threads calling f2fs_write_cache_pages(). The patch uses the .i_sem lock to protect .writeback updates and adds a check for .writeback before updating the compression context in f2fs_setflags_common() to prevent races with the writepages operation.
Multiple patches have been committed to the stable kernel branches:
- Kernel Git Commit 0bf1a02
- Kernel Git Commit 0df713a
- Kernel Git Commit 10b591e
- Kernel Git Commit ad26bfb
- Kernel Git Commit bcd0086
Workarounds
- Mount f2fs filesystems without compression support as a temporary workaround
- Implement access controls to prevent unprivileged users from modifying compression attributes via ioctl
- Consider migrating critical workloads to alternative filesystems until the kernel can be updated
- Use SELinux or AppArmor policies to restrict access to f2fs compression-related operations
# Configuration example
# Remount f2fs without compression as a temporary workaround
mount -o remount,compress_mode=none /path/to/f2fs/mount
# Alternatively, use nocompress mount option
mount -t f2fs -o nocompress /dev/sdXn /mnt/f2fs
# Check current compression settings
cat /sys/fs/f2fs/<device>/features | grep -i compress
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

