CVE-2025-37741: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: jfs: Prevent copying of nlink with value 0 from disk inode syzbot report a deadlock in diFree. [1] When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4, which does not match the mounted loop device, causing the mapping of the mounted loop device to be invalidated. When creating the directory and creating the inode of iag in diReadSpecial(), read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the metapage data it returns is corrupted, which causes the nlink value of 0 to be assigned to the iag inode when executing copy_from_dinode(), which ultimately causes a deadlock when entering diFree(). To avoid this, first check the nlink value of dinode before setting iag inode. [1] WARNING: possible recursive locking detected 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted -------------------------------------------- syz-executor301/5309 is trying to acquire lock: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889 but task is already holding lock: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(imap->im_aglock[index])); lock(&(imap->im_aglock[index])); *** DEADLOCK *** May be due to missing lock nesting notation 5 locks held by syz-executor301/5309: #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515 #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline] #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026 #2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630 #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline] #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline] #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669 #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline] #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline] #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669 stack backtrace: CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037 check_deadlock kernel/locking/lockdep.c:3089 [inline] validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891 __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752 diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889 jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156 evict+0x4e8/0x9b0 fs/inode.c:725 diFreeSpecial fs/jfs/jfs_imap.c:552 [inline] duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022 diNewIAG fs/jfs/jfs_imap.c:2597 [inline] diAllocExt fs/jfs/jfs_imap.c:1905 [inline] diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669 diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590 ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56 jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257 do_mkdirat+0x264/0x3a0 fs/namei.c:4280 __do_sys_mkdirat fs/namei.c:4295 [inline] __se_sys_mkdirat fs/namei.c:4293 [inline] __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293 do_syscall_x64 arch/x86/en ---truncated---
AI Analysis
Technical Summary
CVE-2025-37741 is a vulnerability identified in the Linux kernel's JFS (Journaled File System) implementation. The issue arises from improper handling of the nlink (link count) value of inodes read from disk, specifically when the nlink value is zero. The vulnerability is triggered during operations involving the JFS inode allocation and deallocation routines, particularly in the functions diFree, diAlloc, and related inode management code paths. The root cause is that when reading the metadata page (metapage) of a fixed disk inode in raw mode, corrupted data can cause the nlink value to be set to zero erroneously. This leads to a deadlock scenario due to recursive locking attempts on the same lock (im_aglock) within the JFS inode map code. The deadlock occurs because the system tries to free an inode with an invalid nlink value, causing nested lock acquisitions that the kernel's lock dependency checker flags as unsafe. The vulnerability is triggered by the ioctl call LOOP_SET_STATUS64 with an offset value that does not match the mounted loop device, invalidating the device mapping and contributing to the corrupted inode state. The deadlock manifests as a kernel hang or freeze, impacting system stability and availability. The issue was reported by syzbot, a kernel fuzzing tool, and affects Linux kernel versions prior to the fix applied around version 6.12.0-rc7. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet. The vulnerability requires local access to the system to trigger the ioctl call and manipulate the JFS filesystem state, indicating that exploitation is not trivial but possible in environments where JFS is used and loop devices are manipulated.
Potential Impact
For European organizations, the impact of CVE-2025-37741 primarily concerns system availability and reliability. Organizations running Linux systems with JFS filesystems, especially those using loop devices (commonly for mounting disk images or container filesystems), could experience kernel deadlocks leading to system hangs or crashes. This can disrupt critical services, cause downtime, and potentially lead to data loss if systems become unresponsive during important operations. While the vulnerability does not directly expose confidentiality or integrity risks, the denial-of-service condition can affect business continuity. European sectors relying on Linux-based infrastructure for servers, embedded systems, or specialized storage solutions that utilize JFS might be particularly vulnerable. Since JFS is less common than other filesystems like ext4 or XFS, the overall exposure is limited but still significant in niche environments such as legacy systems or specialized appliances. The absence of known exploits reduces immediate risk, but the vulnerability's presence in the kernel means that any attacker with local access and the ability to manipulate loop devices could trigger system instability. This is especially relevant for multi-tenant environments, cloud providers, or organizations with less restrictive local user permissions.
Mitigation Recommendations
1. Upgrade the Linux kernel to a version that includes the patch fixing CVE-2025-37741, ideally version 6.12.0-rc7 or later where the fix was introduced. 2. Avoid using the JFS filesystem where possible, especially for critical systems; consider migrating to more widely used and actively maintained filesystems like ext4 or XFS. 3. Restrict local user permissions to prevent unauthorized use of ioctl calls on loop devices, limiting the ability to trigger the vulnerability. 4. Implement monitoring for kernel deadlocks and system hangs to detect early signs of exploitation or instability related to this issue. 5. In environments where loop devices are heavily used (e.g., container hosts, virtual machines), apply strict access controls and audit usage to prevent malicious or accidental triggering of the vulnerability. 6. For legacy systems that cannot be upgraded immediately, consider disabling or limiting the use of loop devices or JFS mounts until patches can be applied. 7. Engage with Linux distribution vendors for backported patches if upgrading the kernel is not feasible in the short term.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain, Belgium
CVE-2025-37741: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: jfs: Prevent copying of nlink with value 0 from disk inode syzbot report a deadlock in diFree. [1] When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4, which does not match the mounted loop device, causing the mapping of the mounted loop device to be invalidated. When creating the directory and creating the inode of iag in diReadSpecial(), read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the metapage data it returns is corrupted, which causes the nlink value of 0 to be assigned to the iag inode when executing copy_from_dinode(), which ultimately causes a deadlock when entering diFree(). To avoid this, first check the nlink value of dinode before setting iag inode. [1] WARNING: possible recursive locking detected 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted -------------------------------------------- syz-executor301/5309 is trying to acquire lock: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889 but task is already holding lock: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(imap->im_aglock[index])); lock(&(imap->im_aglock[index])); *** DEADLOCK *** May be due to missing lock nesting notation 5 locks held by syz-executor301/5309: #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515 #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline] #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026 #2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630 #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline] #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline] #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669 #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline] #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline] #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669 stack backtrace: CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037 check_deadlock kernel/locking/lockdep.c:3089 [inline] validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891 __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752 diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889 jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156 evict+0x4e8/0x9b0 fs/inode.c:725 diFreeSpecial fs/jfs/jfs_imap.c:552 [inline] duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022 diNewIAG fs/jfs/jfs_imap.c:2597 [inline] diAllocExt fs/jfs/jfs_imap.c:1905 [inline] diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669 diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590 ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56 jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257 do_mkdirat+0x264/0x3a0 fs/namei.c:4280 __do_sys_mkdirat fs/namei.c:4295 [inline] __se_sys_mkdirat fs/namei.c:4293 [inline] __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293 do_syscall_x64 arch/x86/en ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-37741 is a vulnerability identified in the Linux kernel's JFS (Journaled File System) implementation. The issue arises from improper handling of the nlink (link count) value of inodes read from disk, specifically when the nlink value is zero. The vulnerability is triggered during operations involving the JFS inode allocation and deallocation routines, particularly in the functions diFree, diAlloc, and related inode management code paths. The root cause is that when reading the metadata page (metapage) of a fixed disk inode in raw mode, corrupted data can cause the nlink value to be set to zero erroneously. This leads to a deadlock scenario due to recursive locking attempts on the same lock (im_aglock) within the JFS inode map code. The deadlock occurs because the system tries to free an inode with an invalid nlink value, causing nested lock acquisitions that the kernel's lock dependency checker flags as unsafe. The vulnerability is triggered by the ioctl call LOOP_SET_STATUS64 with an offset value that does not match the mounted loop device, invalidating the device mapping and contributing to the corrupted inode state. The deadlock manifests as a kernel hang or freeze, impacting system stability and availability. The issue was reported by syzbot, a kernel fuzzing tool, and affects Linux kernel versions prior to the fix applied around version 6.12.0-rc7. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet. The vulnerability requires local access to the system to trigger the ioctl call and manipulate the JFS filesystem state, indicating that exploitation is not trivial but possible in environments where JFS is used and loop devices are manipulated.
Potential Impact
For European organizations, the impact of CVE-2025-37741 primarily concerns system availability and reliability. Organizations running Linux systems with JFS filesystems, especially those using loop devices (commonly for mounting disk images or container filesystems), could experience kernel deadlocks leading to system hangs or crashes. This can disrupt critical services, cause downtime, and potentially lead to data loss if systems become unresponsive during important operations. While the vulnerability does not directly expose confidentiality or integrity risks, the denial-of-service condition can affect business continuity. European sectors relying on Linux-based infrastructure for servers, embedded systems, or specialized storage solutions that utilize JFS might be particularly vulnerable. Since JFS is less common than other filesystems like ext4 or XFS, the overall exposure is limited but still significant in niche environments such as legacy systems or specialized appliances. The absence of known exploits reduces immediate risk, but the vulnerability's presence in the kernel means that any attacker with local access and the ability to manipulate loop devices could trigger system instability. This is especially relevant for multi-tenant environments, cloud providers, or organizations with less restrictive local user permissions.
Mitigation Recommendations
1. Upgrade the Linux kernel to a version that includes the patch fixing CVE-2025-37741, ideally version 6.12.0-rc7 or later where the fix was introduced. 2. Avoid using the JFS filesystem where possible, especially for critical systems; consider migrating to more widely used and actively maintained filesystems like ext4 or XFS. 3. Restrict local user permissions to prevent unauthorized use of ioctl calls on loop devices, limiting the ability to trigger the vulnerability. 4. Implement monitoring for kernel deadlocks and system hangs to detect early signs of exploitation or instability related to this issue. 5. In environments where loop devices are heavily used (e.g., container hosts, virtual machines), apply strict access controls and audit usage to prevent malicious or accidental triggering of the vulnerability. 6. For legacy systems that cannot be upgraded immediately, consider disabling or limiting the use of loop devices or JFS mounts until patches can be applied. 7. Engage with Linux distribution vendors for backported patches if upgrading the kernel is not feasible in the short term.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.936Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe82d0
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 10:26:14 PM
Last updated: 8/5/2025, 7:41:02 AM
Views: 16
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.