Description
In the Linux kernel, the following vulnerability has been resolved:

gfs2: Validate i_depth for exhash directories

A fuzzer test introduced corruption that ends up with a depth of 0 in
dir_e_read(), causing an undefined shift by 32 at:

index = hash >> (32 - dip->i_depth);

As calculated in an open-coded way in dir_make_exhash(), the minimum
depth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is
invalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time.

So we can avoid the undefined behaviour by checking for depth values
lower than the minimum in gfs2_dinode_in(). Values greater than the
maximum are already being checked for there.

Also switch the calculation in dir_make_exhash() to use ilog2() to
clarify how the depth is calculated.

Tested with the syzkaller repro.c and xfstests '-g quick'.
Published: 2025-09-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability arises from an undefined shift operation in the GFS2 filesystem code when an exhash directory has a depth of zero. The calculation index = hash >> (32 - dip->i_depth); fails when i_depth equals zero, causing a shift of 32 bits and undefined behaviour. This flaw can lead to memory corruption or a kernel panic, effectively resulting in a denial‑of‑service condition. The attack is likely local or requires privileged access to manipulate GFS2 directory structures, as the code that triggers the bug is only executed during filesystem operations. The fault is a weakness in input validation and calculation logic, which can be exploited when an attacker forces the depth to an illegal value.

Affected Systems

Affected systems encompass all Linux kernel releases that contain the GFS2 filesystem implementation where this bug exists. No specific version ranges are documented in the available data, indicating that any kernel incorporating the unpatched code path could be vulnerable. Administrators should assess whether their installations use GFS2 and if they run a kernel version before the identified commit.

Risk and Exploitability

Risk and exploitability assessment shows a CVSS score of 5.5, placing the vulnerability in a moderate severity range. The EPSS score is less than 1 %, implying a very low current exploitation probability, and the issue is not listed in CISA’s KEV catalog. The primary vector remains a local, privileged attack; however, if a process with the ability to perform privileged filesystem operations is compromised, the adversary could trigger a crash. The updated kernel mitigates the undefined behavior by validating depth values in gfs2_dinode_in() and recalculating the depth with ilog2().

Generated by OpenCVE AI on April 20, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit fixing the GFS2 depth validation bug (see commit 53a0249d68a210c16e961b83adfa82f94ee0a53d).
  • Reboot the system into the updated kernel to apply the patch and ensure the filesystem is active with the new code path.
  • If an immediate kernel upgrade cannot be performed, remount any GFS2 volumes in read‑only mode or disable GFS2 usage to prevent the vulnerable code from executing.

Generated by OpenCVE AI on April 20, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26759 In the Linux kernel, the following vulnerability has been resolved: gfs2: Validate i_depth for exhash directories A fuzzer test introduced corruption that ends up with a depth of 0 in dir_e_read(), causing an undefined shift by 32 at: index = hash >> (32 - dip->i_depth); As calculated in an open-coded way in dir_make_exhash(), the minimum depth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is invalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time. So we can avoid the undefined behaviour by checking for depth values lower than the minimum in gfs2_dinode_in(). Values greater than the maximum are already being checked for there. Also switch the calculation in dir_make_exhash() to use ilog2() to clarify how the depth is calculated. Tested with the syzkaller repro.c and xfstests '-g quick'.
Ubuntu USN Ubuntu USN USN-8028-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-2 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-1 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-4 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-5 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-2 Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-6 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8052-1 Linux kernel (Low Latency) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-7 Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-8 Linux kernel (IBM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8052-2 Linux kernel (Xilinx) vulnerabilities
Ubuntu USN Ubuntu USN USN-8074-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8074-2 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8126-1 Linux kernel (Azure) vulnerabilities
History

Mon, 20 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-795

Sat, 11 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
References

Tue, 25 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 05 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Vendors & Products Linux
Linux linux Kernel

Fri, 05 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 04 Sep 2025 15:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: gfs2: Validate i_depth for exhash directories A fuzzer test introduced corruption that ends up with a depth of 0 in dir_e_read(), causing an undefined shift by 32 at: index = hash >> (32 - dip->i_depth); As calculated in an open-coded way in dir_make_exhash(), the minimum depth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is invalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time. So we can avoid the undefined behaviour by checking for depth values lower than the minimum in gfs2_dinode_in(). Values greater than the maximum are already being checked for there. Also switch the calculation in dir_make_exhash() to use ilog2() to clarify how the depth is calculated. Tested with the syzkaller repro.c and xfstests '-g quick'.
Title gfs2: Validate i_depth for exhash directories
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-11T12:45:37.195Z

Reserved: 2025-04-16T04:51:24.033Z

Link: CVE-2025-38710

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2025-09-04T16:15:40.137

Modified: 2026-04-11T13:16:35.223

Link: CVE-2025-38710

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-04T00:00:00Z

Links: CVE-2025-38710 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses