CVE-2025-71237 Overview
CVE-2025-71237 is an integer underflow vulnerability in the Linux kernel's nilfs2 filesystem implementation. The vulnerability occurs when a user executes the FITRIM command, causing an underflow during the calculation of nblocks when end_block is too small. Since nblocks is of type sector_t (which is u64), a negative value becomes an extremely large positive integer, leading to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain.
Critical Impact
This vulnerability allows local users to cause a denial of service condition by triggering a system hang. The ns_segctor_sem lock remains held for an extended period, preventing other tasks from acquiring it and resulting in system unresponsiveness.
Affected Products
- Linux Kernel with nilfs2 filesystem support
- Systems utilizing FITRIM operations on nilfs2 filesystems
- Linux distributions with vulnerable kernel versions
Discovery Timeline
- 2026-02-18 - CVE CVE-2025-71237 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2025-71237
Vulnerability Analysis
The vulnerability resides in the nilfs2 filesystem's handling of the FITRIM ioctl command, which is used for SSD TRIM operations. When processing this command, the kernel calculates the number of blocks (nblocks) to be trimmed. If the ending block value provided by the user is too small (typically smaller than the 4KiB range), the calculation can result in an integer underflow.
The core issue stems from the unsigned nature of the sector_t type used for nblocks. When the subtraction operation produces what should be a negative result, the unsigned 64-bit integer wraps around to a massive positive value. This causes __blkdev_issue_discard() to attempt processing an astronomically large bio chain, effectively hanging the system.
The stack trace from syzbot's report shows the segctord kernel thread stuck in a D (uninterruptible sleep) state attempting to acquire the ns_segctor_sem write lock in nilfs_transaction_lock(), demonstrating the lock contention caused by this vulnerability.
Root Cause
The root cause is improper validation of the FITRIM range parameters before performing arithmetic operations. The code fails to verify that the ending block is large enough to produce a valid (non-negative) nblocks value. Additionally, depending on the usage of segment 0, attempting a discard request beyond the device size may be possible when the ending block is too small.
Attack Vector
A local attacker with the ability to execute FITRIM ioctl commands on a nilfs2 filesystem can exploit this vulnerability. The attack involves crafting FITRIM parameters with an end_block value that is intentionally too small, triggering the integer underflow condition.
The vulnerability is exploited through the following mechanism: when the FITRIM command is issued with malformed parameters, the calculation of nblocks underflows, causing the block layer to process an effectively infinite bio chain while holding the ns_segctor_sem lock, preventing other filesystem operations and causing a system hang.
Detection Methods for CVE-2025-71237
Indicators of Compromise
- System processes stuck in uninterruptible sleep (D state) related to nilfs2 operations
- Kernel threads showing nilfs_transaction_lock or nilfs_segctor_thread in stack traces
- System unresponsiveness following FITRIM operations on nilfs2 filesystems
- Elevated CPU usage from block layer discard processing
Detection Strategies
- Monitor for processes in D state with nilfs2-related stack traces using tools like ps or /proc/[pid]/stack
- Implement auditd rules to track FITRIM ioctl calls on nilfs2 mounted filesystems
- Deploy kernel tracing (ftrace/eBPF) to monitor nilfs2 FITRIM operations with suspicious parameters
- Review system logs for segctord thread warnings or lock contention messages
Monitoring Recommendations
- Configure alerting for sustained high CPU usage in kernel block layer functions
- Monitor for abnormal lock hold times on nilfs2 semaphores
- Implement watchdog timers to detect and recover from system hangs
- Track FITRIM ioctl usage patterns for anomalous small range parameters
How to Mitigate CVE-2025-71237
Immediate Actions Required
- Apply the latest kernel patches that address this vulnerability
- Restrict access to FITRIM ioctl operations to trusted users only
- Consider temporarily disabling FITRIM operations on nilfs2 filesystems until patched
- Monitor systems using nilfs2 for signs of exploitation attempts
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix implements a conservative strategy that safely ignores invalid FITRIM range parameters, treating them as a no-op operation. When the start and len values are too small, the patched code exits successfully and assigns the discarded size (0 in this case) to range->len without performing any trimming or throwing an error.
Multiple kernel stable branches have received patches:
- Kernel Patch Note 2438982
- Kernel Patch Note 4aa45f8
- Kernel Patch Note 6457d3e
- Kernel Patch Note b8c5ee2
- Kernel Patch Note ba18e5f
- Kernel Patch Note df1e207
- Kernel Patch Note ea22786
Workarounds
- Restrict FITRIM ioctl access using filesystem permissions or security modules (SELinux/AppArmor)
- Disable user access to FITRIM operations via appropriate capabilities restrictions
- Monitor and audit nilfs2 filesystem operations for suspicious activity
- Consider migrating critical workloads to alternative filesystems until patching is complete
# Configuration example
# Restrict FITRIM capabilities using capabilities(7)
# Remove CAP_SYS_ADMIN from untrusted processes
setcap -r /path/to/untrusted/binary
# Mount nilfs2 with restricted options (review for your environment)
mount -t nilfs2 -o noexec,nosuid /dev/sdX /mnt/nilfs2
# Monitor for nilfs2 lock contention
cat /proc/locks | grep nilfs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
