Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71237

CVE-2025-71237: Linux Kernel nilfs2 DoS Vulnerability

CVE-2025-71237 is a denial of service flaw in the Linux kernel nilfs2 filesystem that causes system hangs through FITRIM command exploitation. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71237 Overview

CVE-2025-71237 is an integer underflow vulnerability in the Linux kernel's nilfs2 filesystem implementation. The vulnerability occurs when a user executes the FITRIM command, causing an underflow during the calculation of nblocks when end_block is too small. Since nblocks is of type sector_t (which is u64), a negative value becomes an extremely large positive integer, leading to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain.

Critical Impact

This vulnerability allows local users to cause a denial of service condition by triggering a system hang. The ns_segctor_sem lock remains held for an extended period, preventing other tasks from acquiring it and resulting in system unresponsiveness.

Affected Products

  • Linux Kernel with nilfs2 filesystem support
  • Systems utilizing FITRIM operations on nilfs2 filesystems
  • Linux distributions with vulnerable kernel versions

Discovery Timeline

  • 2026-02-18 - CVE CVE-2025-71237 published to NVD
  • 2026-02-19 - Last updated in NVD database

Technical Details for CVE-2025-71237

Vulnerability Analysis

The vulnerability resides in the nilfs2 filesystem's handling of the FITRIM ioctl command, which is used for SSD TRIM operations. When processing this command, the kernel calculates the number of blocks (nblocks) to be trimmed. If the ending block value provided by the user is too small (typically smaller than the 4KiB range), the calculation can result in an integer underflow.

The core issue stems from the unsigned nature of the sector_t type used for nblocks. When the subtraction operation produces what should be a negative result, the unsigned 64-bit integer wraps around to a massive positive value. This causes __blkdev_issue_discard() to attempt processing an astronomically large bio chain, effectively hanging the system.

The stack trace from syzbot's report shows the segctord kernel thread stuck in a D (uninterruptible sleep) state attempting to acquire the ns_segctor_sem write lock in nilfs_transaction_lock(), demonstrating the lock contention caused by this vulnerability.

Root Cause

The root cause is improper validation of the FITRIM range parameters before performing arithmetic operations. The code fails to verify that the ending block is large enough to produce a valid (non-negative) nblocks value. Additionally, depending on the usage of segment 0, attempting a discard request beyond the device size may be possible when the ending block is too small.

Attack Vector

A local attacker with the ability to execute FITRIM ioctl commands on a nilfs2 filesystem can exploit this vulnerability. The attack involves crafting FITRIM parameters with an end_block value that is intentionally too small, triggering the integer underflow condition.

The vulnerability is exploited through the following mechanism: when the FITRIM command is issued with malformed parameters, the calculation of nblocks underflows, causing the block layer to process an effectively infinite bio chain while holding the ns_segctor_sem lock, preventing other filesystem operations and causing a system hang.

Detection Methods for CVE-2025-71237

Indicators of Compromise

  • System processes stuck in uninterruptible sleep (D state) related to nilfs2 operations
  • Kernel threads showing nilfs_transaction_lock or nilfs_segctor_thread in stack traces
  • System unresponsiveness following FITRIM operations on nilfs2 filesystems
  • Elevated CPU usage from block layer discard processing

Detection Strategies

  • Monitor for processes in D state with nilfs2-related stack traces using tools like ps or /proc/[pid]/stack
  • Implement auditd rules to track FITRIM ioctl calls on nilfs2 mounted filesystems
  • Deploy kernel tracing (ftrace/eBPF) to monitor nilfs2 FITRIM operations with suspicious parameters
  • Review system logs for segctord thread warnings or lock contention messages

Monitoring Recommendations

  • Configure alerting for sustained high CPU usage in kernel block layer functions
  • Monitor for abnormal lock hold times on nilfs2 semaphores
  • Implement watchdog timers to detect and recover from system hangs
  • Track FITRIM ioctl usage patterns for anomalous small range parameters

How to Mitigate CVE-2025-71237

Immediate Actions Required

  • Apply the latest kernel patches that address this vulnerability
  • Restrict access to FITRIM ioctl operations to trusted users only
  • Consider temporarily disabling FITRIM operations on nilfs2 filesystems until patched
  • Monitor systems using nilfs2 for signs of exploitation attempts

Patch Information

The Linux kernel maintainers have released patches to address this vulnerability. The fix implements a conservative strategy that safely ignores invalid FITRIM range parameters, treating them as a no-op operation. When the start and len values are too small, the patched code exits successfully and assigns the discarded size (0 in this case) to range->len without performing any trimming or throwing an error.

Multiple kernel stable branches have received patches:

Workarounds

  • Restrict FITRIM ioctl access using filesystem permissions or security modules (SELinux/AppArmor)
  • Disable user access to FITRIM operations via appropriate capabilities restrictions
  • Monitor and audit nilfs2 filesystem operations for suspicious activity
  • Consider migrating critical workloads to alternative filesystems until patching is complete
bash
# Configuration example
# Restrict FITRIM capabilities using capabilities(7)
# Remove CAP_SYS_ADMIN from untrusted processes
setcap -r /path/to/untrusted/binary

# Mount nilfs2 with restricted options (review for your environment)
mount -t nilfs2 -o noexec,nosuid /dev/sdX /mnt/nilfs2

# Monitor for nilfs2 lock contention
cat /proc/locks | grep nilfs

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.