CVE-2025-68821 Overview
CVE-2025-68821 is a deadlock vulnerability in the Linux kernel's FUSE (Filesystem in Userspace) subsystem. The vulnerability was introduced by commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed"), which optimized memory allocation by skipping ff->release_args allocation when the FUSE server does not implement open. However, this optimization inadvertently caused fuse_prepare_release() to skip grabbing the reference on the inode, creating a dangerous race condition that can lead to a system deadlock.
Critical Impact
This vulnerability can cause a complete system deadlock when the FUSE server triggers memory reclaim while servicing readahead requests, potentially rendering the system unresponsive and requiring a hard reboot.
Affected Products
- Linux kernel with FUSE filesystem support
- Systems using FUSE-based filesystems (SSHFS, GlusterFS, NTFS-3G, etc.)
- Linux kernel versions containing commit e26ee4efbc79
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-68821 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68821
Vulnerability Analysis
This deadlock vulnerability occurs due to improper inode reference management in the FUSE filesystem's file release path. When the FUSE server does not implement the open operation, the kernel optimization skips allocating ff->release_args. As a consequence, fuse_prepare_release() no longer grabs a reference on the inode, allowing the inode to be evicted from the dcache while there are still inflight readahead requests.
The deadlock manifests when the following sequence occurs:
- A readahead operation is initiated on a FUSE file, locking the folio
- The FUSE server, while servicing the readahead request, triggers memory reclaim
- Reclaim attempts to evict the FUSE inode associated with the file being read
- fuse_evict_inode() calls truncate_inode_pages_range() to remove all folios from the page cache
- The truncation attempts to acquire the folio lock, but it's already held by readahead
- Readahead cannot release the lock because it's blocked waiting for reclaim to complete
Root Cause
The root cause is the missing inode reference in fuse_prepare_release() when ff->release_args is not allocated. The original commit optimized memory usage but failed to maintain the critical inode reference that prevents premature inode eviction during active file operations. Without this reference, the kernel's memory management subsystem can attempt to free the inode while the file is still being accessed, creating a circular wait condition.
Attack Vector
This vulnerability can be triggered through normal filesystem operations when:
- A FUSE filesystem is mounted with a server that does not implement the open operation
- Readahead operations are performed on files (common during sequential reads)
- The system experiences memory pressure, triggering the reclaim mechanism
- The reclaim process attempts to evict the inode currently being read
While this vulnerability requires specific conditions to trigger, it can occur during normal operation on systems under memory pressure. The attack vector is primarily local, as it requires access to a FUSE-mounted filesystem on the target system.
The deadlock condition is illustrated by the kernel stack trace, showing the blocking chain from folio_wait_bit_common through the memory reclaim path to the page fault handler.
Detection Methods for CVE-2025-68821
Indicators of Compromise
- System hangs or becomes unresponsive during FUSE filesystem operations
- Kernel stack traces showing folio_wait_bit_common blocked in truncate_inode_pages_range
- Processes stuck in uninterruptible sleep (D state) with FUSE-related operations in the call stack
- Memory reclaim operations (shrink_slab, shrink_node) blocking indefinitely
Detection Strategies
- Monitor system logs for kernel warnings related to FUSE or memory reclaim deadlocks
- Use dmesg to check for hung task warnings involving FUSE filesystem operations
- Deploy kernel tracing to identify circular wait conditions in the FUSE subsystem
- Check for processes in D state with ps aux | grep ' D' that have FUSE-related operations
Monitoring Recommendations
- Implement watchdog monitoring for systems with FUSE filesystems to detect hangs
- Configure kernel hung task detection with appropriate timeouts
- Monitor memory pressure metrics on systems using FUSE-based storage solutions
- Set up alerts for unusual patterns in memory reclaim activity on FUSE-enabled systems
How to Mitigate CVE-2025-68821
Immediate Actions Required
- Apply the kernel patches provided in the stable kernel tree immediately
- Schedule system reboots to activate the patched kernel
- Consider temporarily reducing readahead settings on affected FUSE filesystems
- Monitor affected systems for signs of deadlock until patches are applied
Patch Information
The Linux kernel maintainers have released patches to fix this deadlock. The fix ensures that ff->release_args is allocated and the inode reference is grabbed when preparing the file for release, even if the FUSE server does not implement open. The inode reference is properly dropped when the last reference on the fuse file is dropped via fuse_file_put() -> fuse_release_end().
Patches are available at:
- Kernel Commit 4703bc0e8cd3
- Kernel Commit bd5603eaae0a
- Kernel Commit cf74785c00b8
- Kernel Commit e0d6de83a4cc
- Kernel Commit fbba8b00bbe4
Workarounds
- Reduce memory pressure on systems using FUSE filesystems by increasing available RAM or reducing workload
- Temporarily unmount non-critical FUSE filesystems until patched kernels are deployed
- Disable or reduce readahead on FUSE mounts using mount options where applicable
- Consider using alternative filesystem implementations for critical workloads until the patch is applied
# Check current kernel version for vulnerability assessment
uname -r
# View FUSE-related kernel modules
lsmod | grep fuse
# Monitor for hung tasks related to FUSE
dmesg -w | grep -i "hung_task\|fuse"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
