CVE-2025-68794 Overview
A vulnerability has been identified in the Linux kernel's iomap subsystem where the iomap_adjust_read_range() function incorrectly handles non-block-aligned positions and lengths. The function assumes that input position and length values are block-aligned, which is not always the case. This miscalculation causes too many bytes to be skipped for uptodate blocks, resulting in incorrect position and length values being returned for read operations. In worst-case scenarios where all blocks are marked as uptodate, this can cause an integer underflow in the length calculation and return a position beyond the folio boundary.
Critical Impact
Integer underflow vulnerability in Linux kernel iomap subsystem can cause incorrect read range calculations, potentially leading to memory access issues and system instability when processing filesystem operations.
Affected Products
- Linux kernel (versions with vulnerable iomap implementation)
- Systems using erofs filesystem
- Linux-based systems with affected kernel versions
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-68794 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68794
Vulnerability Analysis
The vulnerability exists within the iomap_adjust_read_range() function in the Linux kernel's iomap subsystem. This function is responsible for calculating the correct byte range to read from storage when handling filesystem I/O operations. The core issue stems from a flawed assumption that incoming position and length parameters are always aligned to block boundaries.
When the function processes non-block-aligned inputs—a scenario discovered through syzbot fuzzing on the erofs filesystem—the calculation for skipping uptodate blocks becomes incorrect. The function fails to account for the block offset when determining how many bytes can be safely skipped, leading to an over-calculation of skippable bytes.
This bug manifests most severely when all blocks in the requested range are already marked as uptodate in memory. In this case, the excessive skip calculation causes the length variable to underflow (wrap around to a very large value due to unsigned arithmetic), and the returned position points beyond the valid folio boundary. This can result in out-of-bounds memory access or other undefined behavior during subsequent I/O operations.
Root Cause
The root cause is an incorrect byte skip calculation in iomap_adjust_read_range() that does not properly handle the block offset component when the input position is not block-aligned. The function needs to consider both the block alignment and the actual offset within the block when calculating how many bytes correspond to uptodate blocks that can be skipped.
Attack Vector
This vulnerability can be triggered through filesystem operations that result in non-block-aligned read requests being processed by the iomap layer. The syzbot fuzzer demonstrated this issue using the erofs filesystem, suggesting that any filesystem utilizing the iomap infrastructure could potentially trigger this condition under specific I/O patterns.
The vulnerability was discovered through automated fuzzing, indicating it requires specific conditions to trigger. While local access to mount and interact with affected filesystems would typically be required, the impact could include system crashes or memory corruption if the malformed read range calculations cause subsequent kernel code to access invalid memory regions.
Detection Methods for CVE-2025-68794
Indicators of Compromise
- Unexpected kernel crashes or panics during filesystem read operations
- System instability when accessing erofs or other iomap-based filesystems
- Kernel log messages indicating memory access violations in iomap-related functions
- Abnormal filesystem behavior with non-standard block alignment patterns
Detection Strategies
- Monitor kernel logs for iomap subsystem errors or warnings
- Deploy kernel runtime integrity monitoring to detect anomalous memory access patterns
- Use kernel address sanitizer (KASAN) in development environments to catch out-of-bounds access
- Implement filesystem fuzzing tests to identify triggering conditions in your environment
Monitoring Recommendations
- Enable kernel tracing for iomap operations on production systems
- Configure crash dump collection to capture kernel state during any filesystem-related crashes
- Monitor for unusual patterns in filesystem I/O metrics that could indicate exploitation attempts
- Review system stability metrics for correlation with filesystem mount/access events
How to Mitigate CVE-2025-68794
Immediate Actions Required
- Update to a patched Linux kernel version that includes the iomap fix
- Review systems using erofs or other iomap-dependent filesystems for potential impact
- Monitor affected systems for signs of instability until patches can be applied
- Consider limiting access to mount untrusted filesystems on vulnerable systems
Patch Information
The Linux kernel development team has released patches to address this vulnerability. The fix ensures that the block offset is properly accounted for when calculating how many bytes can be skipped for uptodate blocks in iomap_adjust_read_range().
Multiple kernel stable tree commits have been published to fix this issue:
- Kernel Git Commit 12053695
- Kernel Git Commit 142194fb
- Kernel Git Commit 7aa6bc3
- Kernel Git Commit 82b60ffb
Workarounds
- Limit filesystem mount capabilities to trusted users only until patching is complete
- Avoid using erofs or other filesystems known to trigger non-block-aligned iomap operations on unpatched systems
- Consider using alternative filesystems that do not rely on the vulnerable iomap code path
- Implement strict access controls on systems where kernel updates cannot be immediately applied
# Check current kernel version
uname -r
# Verify if patches are applied by checking kernel git log
# or comparing against fixed commit hashes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
