CVE-2025-71295 Overview
CVE-2025-71295 is a null pointer dereference vulnerability in the Linux kernel's filesystem buffer management code. The flaw exists in try_to_free_buffers() within fs/buffer.c, which can be invoked on folios that have no buffers attached. The condition triggers when filemap_release_folio() runs on a folio belonging to a mapping with the AS_RELEASE_ALWAYS flag set but no release_folio operation defined. The kernel maintainers resolved the issue by adding an early return and a WARN_ON_ONCE() alert when a folio without buffers is encountered.
Critical Impact
Triggering the unsafe path leads to a null pointer dereference in the kernel, resulting in a kernel oops or system crash and local denial of service.
Affected Products
- Linux kernel (mainline) prior to commits referenced in upstream stable trees
- Linux kernel stable branches receiving the backported fix
- Distributions shipping kernels that include the affected fs/buffer code path
Discovery Timeline
- 2026-05-06 - CVE-2025-71295 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2025-71295
Vulnerability Analysis
The vulnerability resides in the Linux kernel's page cache release path. When filemap_release_folio() is called on a folio whose address space has AS_RELEASE_ALWAYS set, the helper folio_needs_release() returns true regardless of whether the folio actually carries private buffer data. The kernel then dispatches to try_to_free_buffers(), which assumes the folio has attached buffers and calls drop_buffers() on them.
If no buffers are attached, the buffer head pointer obtained from the folio's private data is NULL. Dereferencing this pointer triggers a kernel oops. The result is a local denial of service condition reachable through filesystem operations against mappings configured with AS_RELEASE_ALWAYS but lacking a release_folio callback.
The upstream fix introduces a defensive check that returns early when no buffers are present, accompanied by WARN_ON_ONCE() to surface the misconfiguration in kernel logs. This is hardening rather than a fix for an attacker-controlled primitive, and the EPSS score reflects the low likelihood of weaponization.
Root Cause
The root cause is an inconsistency between two release-path signals. AS_RELEASE_ALWAYS indicates a folio always requires release handling, while the absence of buffers and a release_folio operation indicates there is nothing to release. try_to_free_buffers() did not validate the folio's buffer state before operating on it, leading to the null pointer dereference [CWE-476].
Attack Vector
The vulnerability is triggered through normal kernel filesystem operations on a misconfigured address space. An attacker requires local access and the ability to interact with a filesystem or driver that registers a mapping with AS_RELEASE_ALWAYS but does not provide a release_folio operation. The condition is primarily reachable through buggy or in-development filesystem code rather than by direct user-space input. The vulnerability mechanism is documented in the kernel commits referenced in the Kernel Git Commit 727e514 and Kernel Git Commit b68f91e.
Detection Methods for CVE-2025-71295
Indicators of Compromise
- Kernel oops or panic messages referencing try_to_free_buffers or drop_buffers in dmesg and /var/log/kern.log.
- WARN_ON_ONCE() warnings emitted from fs/buffer.c after the fix is applied, indicating a misconfigured address space was encountered.
- Unexpected system reboots or process termination tied to filesystem release operations.
Detection Strategies
- Monitor kernel ring buffer output for null pointer dereference traces with call stacks containing filemap_release_folio and try_to_free_buffers.
- Compare running kernel versions against vendor advisories and upstream stable commits to identify hosts missing the patch.
- Audit out-of-tree kernel modules and filesystem drivers for address spaces that set AS_RELEASE_ALWAYS without defining a release_folio operation.
Monitoring Recommendations
- Forward kernel logs to a central log management or SIEM platform and alert on oops, panic, and WARN_ON_ONCE events.
- Track kernel package versions across the fleet using configuration management tooling to confirm patch deployment.
- Investigate hosts that produce repeated kernel warnings from fs/buffer.c, since these indicate either reachable misconfiguration or pre-patch crash conditions.
How to Mitigate CVE-2025-71295
Immediate Actions Required
- Apply the latest stable kernel update from your Linux distribution that incorporates the upstream fix.
- Reboot affected systems after patching to load the corrected kernel image.
- Restrict local access on multi-tenant hosts until patches are deployed, since exploitation requires local interaction with affected filesystem paths.
Patch Information
The fix adds an early return and WARN_ON_ONCE() in try_to_free_buffers() for folios without buffers. The change is distributed across multiple stable trees in the following commits: Kernel Git Commit 1b111a6, Kernel Git Commit 42c32d7, Kernel Git Commit 727e514, Kernel Git Commit b68f91e, Kernel Git Commit c1b6227, and Kernel Git Commit c6246ca. Consult your distribution's security advisory for the specific package version that includes these commits.
Workarounds
- No vendor-supplied workaround exists. Patching the kernel is the supported remediation.
- Avoid loading out-of-tree filesystem drivers that set AS_RELEASE_ALWAYS without implementing release_folio until kernels include the defensive check.
- Where immediate patching is not feasible, limit untrusted local users and constrain filesystem mount options that could reach the affected code path.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
