CVE-2025-40237: Critical Race Condition in Linux Kernel OverlayFS Can Lead to NULL Pointer Dereference

Overview

CVE-2025-40237 describes a race condition vulnerability in the Linux kernel’s OverlayFS (overlay filesystem) implementation. Specifically, a NULL pointer dereference can occur during the unmount process of an OverlayFS filesystem when a file descriptor (fd) watching an overlayfs inode is accessed by inotify_fdinfo(). This vulnerability can lead to a system crash or other unpredictable behavior.

Technical Details

The vulnerability arises from a race condition between the filesystem unmount process and the inotify_fdinfo() function. Here’s a breakdown of the issue:

• When an OverlayFS filesystem is unmounted, the generic_shutdown_super() function is called. This function eventually sets the superblock’s root directory (sb->s_root) to NULL.
• Concurrently, if a process is accessing a file descriptor that is monitoring an inode on the OverlayFS filesystem (using inotify), the inotify_fdinfo() function may be called.
• inotify_fdinfo() calls show_mark_fhandle() which in turn calls exportfs_encode_fid() and then ovl_encode_fh().
• Inside ovl_encode_fh(), the ovl_check_encode_origin() function attempts to dereference inode->i_sb->s_root.
• If the unmount process sets sb->s_root to NULL before ovl_check_encode_origin() accesses it, a NULL pointer dereference occurs, leading to a kernel panic.

Here is a representation of the race condition:

Thread 1                           Thread 2
--------                           --------

generic_shutdown_super()
 shrink_dcache_for_umount
  sb->s_root = NULL

                    |
                    |             vfs_read()
                    |              inotify_fdinfo()
                    |               * inode get from mark *
                    |               show_mark_fhandle(m, inode)
                    |                exportfs_encode_fid(inode, ..)
                    |                 ovl_encode_fh(inode, ..)
                    |                  ovl_check_encode_origin(inode)
                    |                   * deref i_sb->s_root *
                    |
                    |
                    v
 fsnotify_sb_delete(sb)
        

CVSS Analysis

A CVSS score has not been explicitly assigned to this CVE. However, due to the potential for a kernel panic and system crash, this vulnerability would likely be classified as having a High severity.

Possible Impact

A successful exploit of CVE-2025-40237 can result in the following:

• Kernel Panic: The most likely outcome is a kernel panic, causing the system to crash and require a reboot.
• Denial of Service (DoS): The crash effectively renders the system unusable, resulting in a denial of service.

Mitigation and Patch Steps

The vulnerability has been addressed in the Linux kernel. The fix involves protecting the call to exportfs_encode_fid() from show_mark_fhandle() with the s_umount lock. This ensures that the superblock is not accessed after it has been unmounted.

To mitigate this vulnerability, users should:

• Update the Kernel: Apply the latest kernel patches from your distribution vendor. Ensure the patch includes the fix for CVE-2025-40237.
• Monitor Systems: Watch for unusual system behavior or crashes, which could indicate exploitation attempts.

References

Kernel Commit (3f307a9f7a7a2822e38ac451b73e2244e7279496)
Kernel Commit (a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a)
Kernel Commit (bc1c6b803e14ea2b8f7e33b7164013f666ceb656)
Kernel Commit (d1894bc542becb0fda61e7e513b09523cab44030)
Amir’s Suggestion on LKML