CVE-2025-71069 Overview
CVE-2025-71069 is a Linux kernel vulnerability in the F2FS (Flash-Friendly File System) implementation. The flaw exists in the rename path when RENAME_WHITEOUT operations are performed on directories with corrupted i_current_depth values. When f2fs_add_link fails after partial on-disk modifications, the kernel returns an error to VFS without invalidating the dentry cache. This leaves stale dentry-to-inode mappings that reference an inode whose i_nlink has already been decremented to zero. Subsequent rename operations targeting the same name trigger a WARNING in drop_nlink() and may lead to use-after-free conditions on the stale inode.
Critical Impact
A local attacker able to mount a crafted F2FS image can trigger kernel warnings, dentry cache corruption, and potential use-after-free conditions through sequential renameat2() syscalls.
Affected Products
- Linux kernel versions implementing F2FS with RENAME_WHITEOUT support
- Stable kernel branches receiving patches 0dde307, 3d65e27, 3d95ed8, 64587ab, 7f2bae0, c89845f, and d33f89b
- Linux distributions shipping vulnerable F2FS kernel modules
Discovery Timeline
- 2026-01-13 - CVE-2025-71069 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-71069
Vulnerability Analysis
The vulnerability resides in F2FS rename handling for the RENAME_WHITEOUT flag. F2FS permits mounting filesystems with corrupted directory depth values, which are runtime-clamped to MAX_DIR_HASH_DEPTH. During a whiteout rename, f2fs_rename updates the target directory entry and removes the source entry on disk before calling f2fs_add_link to create the whiteout placeholder.
If f2fs_add_link fails due to the clamped depth, the on-disk modifications are already committed. F2FS returns an error to VFS, which interprets the operation as a complete failure and skips the d_move() call. The dentry cache retains its pre-rename state while the on-disk layout reflects partial completion. The mismatched state allows a follow-up rename to operate on a stale dentry pointing to an inode whose link count has already reached zero.
Root Cause
The root cause is missing dentry cache invalidation in the F2FS rename error path. When f2fs_add_link fails during whiteout creation, f2fs_rename does not invalidate old_dentry or new_dentry. VFS assumes atomicity and does not refresh cache state on error, producing a divergence between the kernel's in-memory view and the on-disk filesystem layout.
Attack Vector
An attacker with permission to mount filesystems or supply a crafted F2FS image can trigger the condition. The reproducer mounts an F2FS image with a corrupted i_current_depth field, then issues renameat2(file2, file1, RENAME_WHITEOUT) followed by renameat2(file3, file1, 0). The second rename uses the stale cached dentry mapping and invokes drop_nlink() on an inode whose i_nlink is already zero, triggering a kernel warning and operating on freed inode memory.
No verified public exploitation code is available. See the upstream commit references for the technical fix details.
Detection Methods for CVE-2025-71069
Indicators of Compromise
- Kernel WARNING messages originating from drop_nlink() in fs/inode.c following F2FS rename operations
- dmesg traces referencing f2fs_rename, f2fs_add_link, or whiteout-related call paths
- Mount events for F2FS images from untrusted or removable media sources
- Unexpected filesystem consistency errors reported by fsck.f2fs after rename activity
Detection Strategies
- Audit kernel ring buffer logs for drop_nlink warnings correlated with F2FS workloads
- Track renameat2 syscalls with the RENAME_WHITEOUT flag on F2FS mounts through eBPF or auditd rules
- Flag mount operations of F2FS filesystems from non-system block devices, especially USB or loopback sources
Monitoring Recommendations
- Centralize kernel logs and alert on F2FS subsystem warnings or BUG traces
- Restrict and monitor user-level mount capabilities, including CAP_SYS_ADMIN grants in containers and user namespaces
- Track installed kernel versions across the fleet to confirm patch coverage for F2FS fixes
How to Mitigate CVE-2025-71069
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the kernel.org stable commits and reboot affected hosts
- Disable F2FS module loading on systems that do not require the filesystem using modprobe blacklists
- Restrict mount privileges for untrusted users and disable automatic mounting of removable media
Patch Information
The fix invalidates old_dentry and new_dentry when f2fs_add_link fails during whiteout creation, forcing VFS to refresh dentry state from disk. The corrections are available in the following upstream commits: Kernel Git Commit 0dde307, Kernel Git Commit 3d65e27, Kernel Git Commit 3d95ed8, Kernel Git Commit 64587ab, Kernel Git Commit 7f2bae0, Kernel Git Commit c89845f, and Kernel Git Commit d33f89b.
Workarounds
- Blacklist the F2FS kernel module on hosts that do not use it: echo 'blacklist f2fs' > /etc/modprobe.d/f2fs.conf
- Remove SUID mount helpers and require root for filesystem mounts on multi-user systems
- Validate F2FS images with fsck.f2fs before mounting on production hosts
- Disable user_namespaces for unprivileged users where feasible to reduce mount attack surface
# Block F2FS module loading and verify
echo 'install f2fs /bin/false' | sudo tee /etc/modprobe.d/disable-f2fs.conf
sudo update-initramfs -u
lsmod | grep f2fs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

