Overview
CVE-2025-40265 describes a critical vulnerability in the Linux kernel’s vfat filesystem implementation. This flaw, now resolved, could lead to a kernel panic under specific circumstances related to block size handling during filesystem mounting. The vulnerability was triggered when emulating an nvme device on qemu with specific block size configurations.
Technical Details
The vulnerability stemmed from missing checks on the return value of the sb_min_blocksize() function within the vfat filesystem code. When emulating an NVMe device on QEMU with both logical_block_size and physical_block_size set to 8 KiB, but without format, the kernel failed to properly handle the block size during the early boot stage while mounting a vfat filesystem. This discrepancy triggered a kernel panic.
The following kernel messages were observed during the panic:
[95553.682035] EXT4-fs (nvme0n1): unable to set blocksize
[95553.684326] EXT4-fs (nvme0n1): unable to set blocksize
[95553.686501] EXT4-fs (nvme0n1): unable to set blocksize
[95553.696448] ISOFS: unsupported/invalid hardware sector size 8192
[95553.697117] ------------[ cut here ]------------
[95553.697567] kernel BUG at fs/buffer.c:1582!
The root cause was the lack of validation after calling `sb_min_blocksize()`, which resulted in invalid block size parameters being passed to subsequent functions, ultimately leading to the kernel bug and panic.
CVSS Analysis
Due to the nature of the vulnerability requiring a specific QEMU configuration and the fact that it results in a denial-of-service (kernel panic), a CVSS score is difficult to accurately assign without further analysis. However, a score reflecting high availability impact is warranted.
- Severity: N/A
- CVSS Score: N/A (Needs further evaluation, but likely High due to kernel panic)
Possible Impact
The primary impact of this vulnerability is a denial-of-service condition. A maliciously crafted or misconfigured virtual machine image utilizing the described QEMU setup could trigger a kernel panic on the host system attempting to mount the vfat filesystem. This can lead to system instability and downtime.
Mitigation or Patch Steps
The vulnerability has been addressed in the Linux kernel. It is highly recommended to update to a kernel version containing the fix. The fix involves adding checks to ensure the return value of sb_min_blocksize() is handled correctly.
Specifically, the fix addresses the missing error handling, preventing the kernel panic when the blocksize cannot be properly determined. Updating to the latest stable kernel version is the recommended mitigation.
