CVE-2025-71292 Overview
CVE-2025-71292 is a Linux kernel vulnerability in the Journaled File System (JFS) implementation. The flaw resides in the jfs_rename function and causes an nlink counter overflow on directories with the maximum link count. When a child directory is renamed inside a parent whose nlink value is -1 (saturated), the kernel first increments and then decrements the counter, wrapping it through zero. This triggers a drop_nlink warning detected by the syzbot fuzzing infrastructure. The issue affects directory link bookkeeping inside the JFS filesystem and has been resolved upstream through multiple stable-kernel backports.
Critical Impact
Local users able to perform rename operations on a JFS-mounted directory with a saturated nlink count can trigger kernel warnings and inconsistent filesystem link state.
Affected Products
- Linux kernel versions including the JFS filesystem driver prior to the fixes referenced in the kernel.org stable tree
- Linux distributions shipping JFS (fs/jfs) as a built-in or loadable module
- Stable kernel branches receiving the backport commits listed in the upstream references
Discovery Timeline
- 2026-05-06 - CVE-2025-71292 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2025-71292
Vulnerability Analysis
The vulnerability is an integer overflow in directory link count handling within the JFS rename path. In Linux, each directory inode tracks its hard-link count using the nlink field. When a child directory is renamed inside its parent, the kernel temporarily adjusts the parent's nlink to maintain referential integrity for the .. entry. Specifically, jfs_rename increments the parent nlink and later decrements it, expecting the value to remain consistent.
If the parent directory is already at the maximum representable value of -1 (the saturation marker used by the kernel to indicate nlink should not be tracked further), incrementing wraps the value to 0. The subsequent drop_nlink call then operates on a zero nlink, triggering a WARN_ON and leaving the directory in an inconsistent link-count state. The condition was identified by syzbot, which produces reproducers for kernel filesystems under fuzzing.
Root Cause
The root cause is the absence of a saturation check in jfs_rename before adjusting the parent directory's nlink. The code path does not verify whether nlink has reached its maximum sentinel value before performing the increment, allowing the counter to wrap. The upstream patch adds a guard so the increment and matching decrement are skipped when the value is already saturated, preserving consistency with how other filesystems handle the same edge case.
Attack Vector
Exploitation requires local filesystem access and the ability to construct a JFS directory hierarchy in which a parent directory's link count has been driven to its maximum value. An attacker with write access to such a directory can trigger the overflow by renaming a child subdirectory within the same parent. The result is a kernel warning and corrupt link accounting rather than memory corruption or privilege escalation. The vulnerability is a denial-of-service and filesystem-integrity issue local to systems mounting JFS volumes.
No public proof-of-concept exploit has been published. The condition was reproduced by the syzbot kernel fuzzer, and the fix has been validated against the original reproducer and basic filesystem regression tests. Refer to the upstream kernel commits for the technical patch details.
Detection Methods for CVE-2025-71292
Indicators of Compromise
- Kernel log entries containing WARNING traces from drop_nlink referencing JFS inode operations
- dmesg output showing jfs_rename call stacks accompanied by link-count anomalies
- Filesystem consistency checks (fsck.jfs) reporting unexpected directory link counts on mounted JFS volumes
Detection Strategies
- Monitor /var/log/kern.log and journalctl -k for WARN_ON events originating from fs/jfs/namei.c or drop_nlink
- Audit running kernel versions against the fixed commit hashes published in the kernel.org stable tree
- Inventory hosts mounting JFS filesystems using mount, findmnt -t jfs, or /proc/mounts parsing
Monitoring Recommendations
- Forward kernel ring buffer messages to a centralized logging or SIEM platform to flag JFS-related warnings
- Track unexpected reboots or kernel taint flags on systems with JFS in production
- Establish baselines for filesystem warnings so anomalous drop_nlink traces are surfaced for review
How to Mitigate CVE-2025-71292
Immediate Actions Required
- Apply the kernel update from your distribution that incorporates the upstream JFS rename fix
- Identify systems mounting JFS volumes and prioritize them for patching
- Where patching is delayed, restrict local user access to JFS-mounted directories writable by untrusted accounts
Patch Information
The vulnerability is resolved in multiple stable kernel branches through commits including 2108829a59f0, 5d77c36cd4b6, 9218dc26fd92, 93c325746ae5, a3d66089e50a, b4330a0d0947, f70fcbc2ac7c, and fe136426e30c. Apply the corresponding distribution kernel package or rebuild from the patched stable tree referenced in the Linux kernel commit history.
Workarounds
- Unmount JFS filesystems and migrate data to an alternative filesystem such as ext4 or XFS where feasible
- Blacklist the jfs kernel module on systems that do not require it to prevent loading
- Limit rename(2) operations on JFS directories with high link counts by tightening directory permissions
# Disable the JFS kernel module on hosts that do not require it
echo "blacklist jfs" | sudo tee /etc/modprobe.d/blacklist-jfs.conf
sudo update-initramfs -u
# Identify currently mounted JFS filesystems
findmnt -t jfs
# Verify the running kernel version against the fixed stable releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

