CVE-2025-71230 Overview
A memory leak vulnerability exists in the Linux kernel's HFS filesystem implementation. When HFS was converted to the new mount API, a bug was introduced that changed the allocation pattern of sb->s_fs_info. If setup_bdev_super() fails after a new superblock has been allocated by sget_fc(), but before hfs_fill_super() takes ownership of the filesystem-specific s_fs_info data, the memory is leaked.
Critical Impact
This vulnerability can lead to kernel memory exhaustion through repeated mount failures, potentially causing system instability or denial of service conditions on systems that handle HFS filesystem mounts.
Affected Products
- Linux Kernel (HFS filesystem component)
- Systems with HFS filesystem support enabled
- Linux distributions using affected kernel versions
Discovery Timeline
- 2026-02-18 - CVE CVE-2025-71230 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-71230
Vulnerability Analysis
The vulnerability resides in the HFS filesystem driver within the Linux kernel. During the migration to the new mount API, the allocation and ownership semantics of the superblock's filesystem-specific information (sb->s_fs_info) were altered in a way that introduced a memory leak condition.
The issue occurs in a specific failure path: when setup_bdev_super() encounters an error after sget_fc() has successfully allocated a new superblock but before hfs_fill_super() has completed and taken ownership of the s_fs_info structure. In this window, the allocated memory has no owner responsible for freeing it, resulting in a memory leak.
Root Cause
The root cause is improper resource management during filesystem mount operations. The conversion to the new mount API changed when and how sb->s_fs_info is allocated and freed. The original implementation properly handled cleanup in all failure scenarios, but the new implementation introduced a gap where early failures in setup_bdev_super() would leave allocated memory orphaned without a cleanup handler registered.
Attack Vector
The vulnerability can be triggered through repeated mount operations targeting the HFS filesystem. An attacker with the ability to mount filesystems (either through direct system access or by influencing mount operations) could repeatedly trigger the failure condition to exhaust kernel memory. The attack vector requires local access to the system with sufficient privileges to attempt filesystem mounts.
The fix implemented in hfs_kill_super() ensures that sb->s_fs_info is properly freed during superblock destruction, closing the memory leak regardless of where in the mount process the failure occurs.
Detection Methods for CVE-2025-71230
Indicators of Compromise
- Unusual kernel memory consumption growth over time
- Repeated HFS mount failure messages in system logs
- Kernel memory allocation warnings or out-of-memory conditions
Detection Strategies
- Monitor system logs for repeated HFS mount failures using dmesg or syslog analysis
- Track kernel slab allocations related to HFS filesystem structures
- Implement kernel memory usage monitoring with alerting on abnormal growth patterns
- Review mount operation logs for suspicious patterns of failed mount attempts
Monitoring Recommendations
- Enable kernel memory debugging options to detect memory leaks
- Configure system monitoring to alert on kernel memory exhaustion
- Audit mount operations for HFS filesystems on affected systems
- Implement rate limiting on filesystem mount operations where feasible
How to Mitigate CVE-2025-71230
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel git repository
- Consider disabling HFS filesystem support if not required (CONFIG_HFS_FS=n)
- Restrict mount privileges to trusted users only
- Monitor systems for signs of memory exhaustion
Patch Information
The vulnerability has been resolved in the Linux kernel. The fix ensures sb->s_fs_info is properly freed in hfs_kill_super(), eliminating the memory leak in all failure scenarios. Official patches are available through the Linux kernel git repository:
- Kernel Git Commit 399219831514126bc9541e8eadefe02c6fbd9166
- Kernel Git Commit 46c1d56ad321fb024761abd9af61a0cb616cf2f6
Workarounds
- Disable HFS filesystem support in kernel configuration if not required
- Restrict filesystem mount operations to trusted administrators
- Implement mount operation monitoring and rate limiting
- Use containerization to isolate mount operations from the host kernel
# Disable HFS filesystem module loading
echo "install hfs /bin/false" >> /etc/modprobe.d/disable-hfs.conf
echo "install hfsplus /bin/false" >> /etc/modprobe.d/disable-hfs.conf
# Unload the module if currently loaded
modprobe -r hfs 2>/dev/null || true
modprobe -r hfsplus 2>/dev/null || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
