CVE-2025-71105 Overview
A vulnerability has been identified in the Linux kernel's f2fs (Flash-Friendly File System) module related to improper handling of slab cache naming. The issue occurs when creating per-superblock slab caches for extended attributes (inline_xattr_slab), which can result in kernel warnings and potential system instability when multiple f2fs filesystems are mounted with conflicting slab cache names.
Critical Impact
This vulnerability can cause kernel warnings and potential denial of service conditions when remounting f2fs filesystems, as the slab cache system encounters duplicate cache name conflicts during filesystem operations.
Affected Products
- Linux kernel versions with f2fs module support
- Systems using f2fs filesystem with extended attributes enabled
- Linux kernel prior to patches across stable branches
Discovery Timeline
- January 14, 2026 - CVE-2025-71105 published to NVD
- January 19, 2026 - Last updated in NVD database
Technical Details for CVE-2025-71105
Vulnerability Analysis
The vulnerability exists in the f2fs filesystem's handling of slab cache creation for extended attribute (xattr) entries. When multiple f2fs filesystems are mounted, each superblock attempts to create its own slab cache with a name based on the device's major:minor numbers (e.g., f2fs_xattr_entry-7:7).
The issue arises from how the kernel's slab allocator handles caches with identical sizes. When two slab caches are created with the same size but different names, the slab system optimizes by sharing the underlying cache structure, using the first cache's name. This creates a reference-counted shared structure rather than two separate caches.
The problem manifests when the first cache is destroyed (e.g., during unmount). The slab system only decrements the reference count rather than fully releasing the cache. Subsequently, when attempting to remount the filesystem and recreate a cache with the original name, the kernel's kmem_cache_sanity_check() function detects the name collision with the still-existing (shared) cache structure and triggers a kernel warning.
Root Cause
The root cause is the use of per-superblock slab cache naming for f2fs_xattr_entry structures. When multiple filesystems create caches with the same slab object size, the kernel's slab merging optimization causes name collisions during the mount/unmount cycle. The function f2fs_init_xattr_caches() in fs/f2fs/xattr.c creates these per-superblock caches, leading to the collision when cache names are reused after reference count manipulation.
Attack Vector
The vulnerability can be triggered through a sequence of filesystem mount operations:
- Mount a first f2fs filesystem (creates slab cache f2fs_xattr_entry-7:3)
- Mount a second f2fs filesystem with similar xattr configuration (creates f2fs_xattr_entry-7:7, but shares underlying cache)
- Unmount the first filesystem (decrements reference count but cache persists)
- Remount the first filesystem (attempts to create f2fs_xattr_entry-7:3 again, triggering the warning)
The attack sequence involves standard mount operations that can trigger kernel warnings at mm/slab_common.c:110 in kmem_cache_sanity_check(), potentially causing system instability or denial of service through repeated warnings.
Detection Methods for CVE-2025-71105
Indicators of Compromise
- Kernel warnings containing kmem_cache of name 'f2fs_xattr_entry-*' already exists
- Warning messages at mm/slab_common.c:110 in kmem_cache_sanity_check function
- Call traces showing f2fs_init_xattr_caches followed by f2fs_fill_super during mount operations
Detection Strategies
- Monitor kernel logs (dmesg) for kmem_cache_sanity_check warnings related to f2fs
- Enable kernel warning tracking for __kmem_cache_create_args failures
- Implement alerting for repeated f2fs mount/unmount cycles that produce slab cache warnings
Monitoring Recommendations
- Configure syslog monitoring for f2fs-related kernel warnings
- Track mount/unmount patterns for f2fs filesystems to identify potential trigger conditions
- Monitor system stability metrics when multiple f2fs filesystems are in use
How to Mitigate CVE-2025-71105
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix
- Review systems with multiple f2fs mounted filesystems for potential exposure
- Consider temporarily limiting f2fs mount/unmount cycles on affected systems until patching is complete
Patch Information
The fix addresses this vulnerability by using a global inline_xattr_slab cache instead of per-superblock slab caches. This eliminates the name collision issue by sharing a single, properly managed cache across all f2fs superblocks.
Multiple kernel patches are available across stable branches:
- Kernel Patch 1eb0b130196b
- Kernel Patch 1f27ef42bb0b
- Kernel Patch 474cc3ed3743
- Kernel Patch 72ce19dfed16
- Kernel Patch 93d30fe19660
- Kernel Patch be4c3a3c6c23
- Kernel Patch e6d828eae00e
Workarounds
- Avoid rapid mount/unmount cycles of multiple f2fs filesystems on the same system
- Consider using alternative filesystems temporarily if f2fs mount operations are causing instability
- Monitor for kernel warnings and restart affected services if warnings occur
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
