{"id":"AZL-66602","summary":"CVE-2025-38627 affecting package kernel for versions less than 6.6.119.3-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic\n\nThe decompress_io_ctx may be released asynchronously after\nI/O completion. If this file is deleted immediately after read,\nand the kworker of processing post_read_wq has not been executed yet\ndue to high workloads, It is possible that the inode(f2fs_inode_info)\nis evicted and freed before it is used f2fs_free_dic.\n\n The UAF case as below:\n Thread A Thread B\n - f2fs_decompress_end_io\n - f2fs_put_dic\n - queue_work\n add free_dic work to post_read_wq\n - do_unlink\n - iput\n - evict\n - call_rcu\n This file is deleted after read.\n\n Thread C kworker to process post_read_wq\n - rcu_do_batch\n - f2fs_free_inode\n - kmem_cache_free\n inode is freed by rcu\n - process_scheduled_works\n - f2fs_late_free_dic\n - f2fs_free_dic\n - f2fs_release_decomp_mem\n read (dic-\u003einode)-\u003ei_compress_algorithm\n\nThis patch store compress_algorithm and sbi in dic to avoid inode UAF.\n\nIn addition, the previous solution is deprecated in [1] may cause system hang.\n[1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org","modified":"2026-04-01T05:21:00.493917Z","published":"2025-08-22T16:15:36Z","upstream":["CVE-2025-38627"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38627"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.119.3-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66602.json"}}],"schema_version":"1.7.5"}