Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71271

CVE-2025-71271: Linux Kernel Information Disclosure Flaw

CVE-2025-71271 is an information disclosure vulnerability in the Linux kernel's hfsplus filesystem that causes memory leaks when mount operations fail. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-71271 Overview

CVE-2025-71271 is a memory leak vulnerability in the Linux kernel hfsplus filesystem driver. The flaw was introduced when hfsplus was converted to the new mount API, which changed the allocation pattern of sb->s_fs_info. When setup_bdev_super() fails after sget_fc() has already allocated a new superblock, the filesystem-specific s_fs_info data is leaked because hfsplus_fill_super() never takes ownership of it.

The upstream fix ensures sb->s_fs_info is freed inside hfsplus_kill_super(), guaranteeing cleanup regardless of where mount failures occur. The issue affects systems that mount or attempt to mount HFS+ filesystems.

Critical Impact

Repeated failed hfsplus mount attempts leak kernel memory, potentially leading to resource exhaustion on long-running systems handling untrusted block devices.

Affected Products

  • Linux kernel versions containing the hfsplus new mount API conversion
  • Distributions shipping affected stable kernel branches prior to the fix commits
  • Systems with the hfsplus filesystem module loaded or available

Discovery Timeline

  • 2026-05-06 - CVE-2025-71271 published to NVD
  • 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2025-71271

Vulnerability Analysis

The vulnerability resides in the mount path of the hfsplus filesystem driver. During the conversion to the new filesystem mount API, the allocation lifecycle of the superblock private data pointer sb->s_fs_info was restructured. Under the new model, the filesystem context allocates s_fs_info early and assigns it to the superblock allocated by sget_fc().

If setup_bdev_super() fails after sget_fc() succeeds but before hfsplus_fill_super() runs, the cleanup path does not release the s_fs_info allocation. The fill-super function would normally take ownership of this pointer, but it never executes in this failure window. This results in a kernel memory leak each time the failure path is triggered.

Root Cause

The root cause is incomplete cleanup logic in hfsplus_kill_super() after the mount API refactor. The function did not free sb->s_fs_info, which is now allocated earlier in the mount sequence. The patch corrects this by adding the missing kfree() call so that the superblock kill function consistently releases filesystem-specific state.

Attack Vector

A local attacker with the ability to trigger hfsplus mount operations on crafted or invalid block devices can repeatedly invoke the failing mount path. Each failed attempt leaks the hfsplus_sb_info structure. Over time this consumes kernel memory and degrades system stability. Automated mount handlers for removable media may amplify exposure on multi-user or kiosk systems.

No arbitrary code execution or privilege escalation results directly from this flaw. The vulnerability is described in the upstream commits referenced by the Linux stable tree.

Detection Methods for CVE-2025-71271

Indicators of Compromise

  • Steady growth of unaccounted slab memory associated with hfsplus_sb_info allocations in /proc/slabinfo
  • Repeated mount failures referencing hfsplus in kernel logs (dmesg) without corresponding successful mounts
  • Unexpected kernel memory pressure on systems that automount removable media

Detection Strategies

  • Audit kernel slab caches for unbounded growth tied to filesystem mount activity
  • Correlate failed mount syscalls (mount(2) returning errors) with hfsplus filesystem types in audit logs
  • Track kernel version against the fix commits 0bcfebb83b54, 126fb0ce9943, and 1e38d32bb04d

Monitoring Recommendations

  • Enable Linux audit rules for mount and umount syscalls and forward to centralized logging
  • Alert on repeated mount failures from the same user or process within a short window
  • Monitor overall kernel memory consumption trends on long-uptime hosts that handle external storage

How to Mitigate CVE-2025-71271

Immediate Actions Required

  • Apply the upstream stable kernel update containing the hfsplus_kill_super() cleanup fix
  • Restrict mount privileges so untrusted users cannot trigger arbitrary hfsplus mounts
  • Disable automatic mounting of HFS+ media on systems where it is not required

Patch Information

The fix is available in the Linux stable tree across multiple branches. Reference commits include 0bcfebb83b5460d5be4e5c9dfb19cdaf3d4cb1db, 126fb0ce99431126b44a6c360192668c818f641f, and 1e38d32bb04d85a2c81204a85a34878a497128c8. See the Linux Kernel Git repository for the patch content. Rebuild and deploy a kernel that includes these commits, or install the equivalent vendor-provided package update.

Workarounds

  • Blacklist the hfsplus kernel module on systems that do not require HFS+ support
  • Configure udev and desktop automounters to ignore HFS+ partitions on untrusted media
  • Limit CAP_SYS_ADMIN and mount capabilities to trusted administrative accounts only
bash
# Configuration example: prevent loading the hfsplus module
echo "install hfsplus /bin/true" | sudo tee /etc/modprobe.d/disable-hfsplus.conf
sudo rmmod hfsplus 2>/dev/null || true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.