Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68772

CVE-2025-68772: Linux Kernel Race Condition Vulnerability

CVE-2025-68772 is a race condition flaw in the Linux kernel f2fs filesystem that causes divide-by-zero errors during compression context updates. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2025-68772 Overview

A race condition vulnerability exists in the Linux kernel's f2fs (Flash-Friendly File System) compression subsystem that can lead to a divide-by-zero error during writeback operations. The vulnerability occurs when the compression context is modified while writeback is in progress, causing the f2fs_all_cluster_page_ready() function to perform a division operation using an uninitialized or zero cluster size value.

Critical Impact

This vulnerability can cause a kernel panic (Oops) leading to system crash and denial of service when concurrent filesystem operations trigger the race condition between fsync, setattr, and ioctl operations.

Affected Products

  • Linux kernel with f2fs filesystem support
  • Systems running kernel version 6.17.0 and potentially earlier versions
  • Linux-based systems using f2fs compression features

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-68772 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68772

Vulnerability Analysis

The vulnerability is triggered by a race condition between three concurrent filesystem operations: fsync, setattr, and ioctl. When f2fs_write_cache_pages() is executing on a non-compressed inode, it initializes the cluster context with i_cluster_size = 0. During this operation, if another thread calls f2fs_setflags_common() to enable compression via set_compress_context(), the i_cluster_size is updated to 4 and the FI_COMPRESSED_FILE flag is set on the inode.

Subsequently, when f2fs_all_cluster_page_ready() checks the compression status and finds the file is now marked as compressed, it attempts to perform a modulo operation (pgidx % cc->cluster_size) using the original cluster context which still contains a zero cluster size, resulting in a divide-by-zero kernel panic.

Root Cause

The root cause is the lack of synchronization between the writeback path and compression context modification. The f2fs_inode_info structure's compression-related fields (i_cluster_size and the FI_COMPRESSED_FILE flag) can be modified while writeback operations are in progress, leading to inconsistent state where the code paths make decisions based on stale or partially updated compression metadata.

The kernel Oops occurs at f2fs_all_cluster_page_ready+0x106/0x550 in fs/f2fs/compress.c:857, which performs a division operation using the cluster size without validating that compression context initialization has completed.

Attack Vector

The attack vector requires local access to a system with an f2fs filesystem mounted with compression support. An attacker or a normal user can trigger this vulnerability by:

  1. Opening a file on an f2fs filesystem that is not compressed
  2. Initiating a sync operation (fsync) to start writeback
  3. Concurrently issuing ioctl calls to enable compression on the same file
  4. The race condition between these operations can cause the kernel to crash

The vulnerability manifests when three concurrent operations race: the fsync path tags pages for writeback with a zero cluster size, while the ioctl path sets the compressed flag and updates the cluster size to 4. When the writeback path then checks f2fs_compressed_file(), it returns true due to the newly set flag, but the modulo operation uses the original zero cluster size, causing the divide error. See the kernel git commits for the complete fix implementation.

Detection Methods for CVE-2025-68772

Indicators of Compromise

  • Kernel panic messages containing divide error: 0000 with SMP KASAN PTI indicators
  • Stack traces showing f2fs_all_cluster_page_ready in the call chain
  • System logs indicating Oops with RIP pointing to fs/f2fs/compress.c:857
  • Unexpected system crashes or reboots on systems using f2fs compression

Detection Strategies

  • Monitor kernel logs for divide-by-zero errors originating from f2fs compression code paths
  • Implement kernel crash dump analysis to identify stack traces matching the vulnerable code path
  • Use KASAN (Kernel Address Sanitizer) enabled kernels in development/testing environments to catch race conditions early
  • Deploy file integrity monitoring on systems using f2fs to detect unexpected filesystem state changes

Monitoring Recommendations

  • Enable kernel crash reporting (kdump/kexec) to capture diagnostic information during kernel panics
  • Monitor /var/log/kern.log or dmesg output for f2fs-related errors and warnings
  • Implement system stability monitoring to detect unexpected reboots that may indicate exploitation attempts
  • Use performance monitoring tools to track f2fs writeback operations and detect anomalous patterns

How to Mitigate CVE-2025-68772

Immediate Actions Required

  • Apply the available kernel patches from the Linux kernel stable branches immediately
  • Consider temporarily disabling f2fs compression features on production systems until patched
  • Restrict access to f2fs ioctl operations to privileged users where possible
  • Monitor systems for signs of instability that may indicate exploitation attempts

Patch Information

The fix introduces a new atomic type variable .writeback in the f2fs_inode_info structure to track the number of threads calling f2fs_write_cache_pages(). The patch uses the .i_sem lock to protect .writeback updates and adds a check for .writeback before updating the compression context in f2fs_setflags_common() to prevent races with the writepages operation.

Multiple patches have been committed to the stable kernel branches:

Workarounds

  • Mount f2fs filesystems without compression support as a temporary workaround
  • Implement access controls to prevent unprivileged users from modifying compression attributes via ioctl
  • Consider migrating critical workloads to alternative filesystems until the kernel can be updated
  • Use SELinux or AppArmor policies to restrict access to f2fs compression-related operations
bash
# Configuration example
# Remount f2fs without compression as a temporary workaround
mount -o remount,compress_mode=none /path/to/f2fs/mount

# Alternatively, use nocompress mount option
mount -t f2fs -o nocompress /dev/sdXn /mnt/f2fs

# Check current compression settings
cat /sys/fs/f2fs/<device>/features | grep -i compress

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.