Linux Kernel, Memory Corruption, CVE-2025-71201 (Medium)

Listen to this Post

The vulnerability stems from a race condition in the Linux kernel’s network filesystem (netfs) layer during buffered read operations. Specifically, the function `netfs_read_unlock_folios()` is responsible for unlocking folios (the modern replacement for memory pages) after read data has been collected. The flaw occurs when a read operation extends to the end of a file (EOF) that does not align with a folio boundary. In such cases, the collection logic prematurely considers the read complete upon hitting the EOF offset, even if a “ZERO subrequest” designed to clear the unused portion of the final folio has not yet executed. This results in the folio being unlocked and made available to user space via mechanisms like `mmap` before the trailing bytes have been zeroed. Consequently, an application can observe uninitialized or stale data (referred to as “rubbish” in the logs) in the file’s tail area instead of the expected null bytes. The issue is exacerbated in synchronous filesystem operations, such as those used by 9P, where the ZERO subrequest is guaranteed to occur after the unlock, but can also manifest in asynchronous systems under specific race conditions.
Platform: Linux Kernel
Version: Affected versions include Ubuntu 24.04 (linux-hwe-6.14)
Vulnerability : Memory Corruption
Severity: Medium
date: 14 Feb 2026

Prediction: March 2026

What Undercode Say:

Analytics:

This vulnerability presents a moderate risk due to its local nature and specific trigger conditions. While the CVSS base score of 5.5 (Medium) reflects a need for local access and user interaction, the potential for information disclosure (C:H/I:N/A:N) is significant. Analysis of the commit history shows the issue was present in the netfs subsystem and has been patched in mainline kernels. The primary attack vector involves a local user exploiting a race to read sensitive data from kernel memory that was improperly cleared. The vulnerability is more pronounced in configurations using the 9P filesystem due to its synchronous read operations, but the potential for exploitation exists across various netfs-backed mounts (AFS, CIFS, Ceph) under the right timing conditions. The provided reproduction steps using `xfs_io` highlight a straightforward method to trigger the bug, lowering the barrier for local enumeration or information leaks.

How Exploit:

While a direct public exploit may not be widely available, the conditions for exploitation are well-understood and can be replicated. The core mechanism involves forcing a read operation on a file with a size that is not a multiple of the system’s page (folio) size and creating a race window.

Example reproduction steps as outlined in the CVE details
Create a file with a size that doesn't align to a page boundary (e.g., 24998 bytes)
truncate -s 24998 /xfstest.test/x
Use xfs_io to mmap the file and read beyond the EOF into the page cache,
triggering the race condition that exposes uninitialized tail data.
xfs_io -c "mmap -r 0 0x6000" -c "madvise -d 0 0x6000" \
-c "mread -v 0 0x6000" /xfstest.test/x

Successful exploitation would result in the `mread` command displaying non-zero “rubbish” data in the final 0x4e bytes of the output instead of null bytes, indicating that kernel memory containing stale information was exposed.

Protection from this CVE

The primary and most effective mitigation is to apply the official kernel patch that corrects the unlocking logic in netfs_read_unlock_folios(). System administrators should prioritize updating their Linux kernels to versions containing the fix.

For Debian/Ubuntu systems, update the kernel package
sudo apt update
sudo apt upgrade linux-image-$(uname -r)
For RHEL/CentOS/Fedora systems
sudo yum update kernel
or
sudo dnf update kernel
After updating, a system reboot is required to load the new kernel.
sudo reboot
Verify the running kernel version after reboot
uname -r

As a best practice, restrict local access to trusted users only, as the vulnerability requires local ability to execute code or commands. In shared hosting environments or multi-user systems, this vulnerability underscores the importance of kernel updates to prevent potential information leakage between users.

Impact

The impact of CVE-2025-71201 is primarily centered on confidentiality, with a CVSS vector indicating High impact to confidentiality (C:H). A successful exploit could allow a local attacker to read sensitive information that was inadvertently left in the tail of a file page. This leaked information could potentially include fragments of other users’ data, cached file contents, or kernel memory structures. While the vulnerability does not directly allow for privilege escalation (increasing user privileges) or system compromise (integrity or availability impact), the disclosure of sensitive memory contents can be a critical stepping stone for developing further exploits or bypassing security mechanisms like KASLR. Systems utilizing network filesystems, particularly those with synchronous read operations like 9P, face a higher practical risk of this issue manifesting in observable data leaks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top