Description
In the Linux kernel, the following vulnerability has been resolved:

nilfs2: Fix potential block overflow that cause system hang

When a user executes the FITRIM command, an underflow can occur when
calculating nblocks if end_block is too small. Since nblocks is of
type sector_t, which is u64, a negative nblocks value will become a
very large positive integer. This ultimately leads to the block layer
function __blkdev_issue_discard() taking an excessively long time to
process the bio chain, and the ns_segctor_sem lock remains held for a
long period. This prevents other tasks from acquiring the ns_segctor_sem
lock, resulting in the hang reported by syzbot in [1].

If the ending block is too small, typically if it is smaller than 4KiB
range, depending on the usage of the segment 0, it may be possible to
attempt a discard request beyond the device size causing the hang.

Exiting successfully and assign the discarded size (0 in this case)
to range->len.

Although the start and len values in the user input range are too small,
a conservative strategy is adopted here to safely ignore them, which is
equivalent to a no-op; it will not perform any trimming and will not
throw an error.

[1]
task:segctord state:D stack:28968 pid:6093 tgid:6093 ppid:2 task_flags:0x200040 flags:0x00080000
Call Trace:
rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272
nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]
nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684

[ryusuke: corrected part of the commit message about the consequences]
Published: 2026-02-18
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (system hang)
Action: Apply Patch
AI Analysis

Impact

An overflow in the nilfs2 filesystem occurs when the FITRIM command calculates the number of blocks to discard. If the supplied end block is too small, the unsigned sector_t calculation underflows, turning a negative number into a very large positive value. This causes the kernel’s block layer to issue an excessively large discard request, holding a semaphore for an extended period and preventing other tasks from progressing. The result is a system hang, as observed by the syzbot test harness. The weakness is a signed to unsigned conversion error (CWE‑193).

Affected Systems

The vulnerability affects all releases of the Linux kernel that include the nilfs2 filesystem implementation, with no specific version range provided. Any system running Linux that mounts a nilfs2 filesystem and permits FITRIM operations is susceptible.

Risk and Exploitability

The CVSS score of 5.5 reflects a moderate impact, and the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. It is inferred that attackers would need local or privileged access to issue a FITRIM command on a nilfs2 filesystem; the flaw is thus a local denial-of-service threat that would affect system availability by preventing other processes from acquiring a key mutex lock.

Generated by OpenCVE AI on April 20, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the nilfs2 block overflow fix (commit 2438982f6 and related patches).
  • If an immediate kernel update is not possible, avoid using the FITRIM command on nilfs2 filesystems; instead use alternative data-correction methods that do not trigger discard.
  • For systems that must perform trims, ensure that the end block argument is validated to be at least a page (4 KiB) or higher before invoking FITRIM, or use a wrapper that suppresses small values.

Generated by OpenCVE AI on April 20, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4498-1 linux security update
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6141-1 linux security update
Debian DSA Debian DSA DSA-6163-1 linux security update
History

Mon, 20 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193

Wed, 18 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 23 Feb 2026 03:30:00 +0000

Type Values Removed Values Added
References

Thu, 19 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
References

Thu, 19 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nilfs2: Fix potential block overflow that cause system hang When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small. Since nblocks is of type sector_t, which is u64, a negative nblocks value will become a very large positive integer. This ultimately leads to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain, and the ns_segctor_sem lock remains held for a long period. This prevents other tasks from acquiring the ns_segctor_sem lock, resulting in the hang reported by syzbot in [1]. If the ending block is too small, typically if it is smaller than 4KiB range, depending on the usage of the segment 0, it may be possible to attempt a discard request beyond the device size causing the hang. Exiting successfully and assign the discarded size (0 in this case) to range->len. Although the start and len values in the user input range are too small, a conservative strategy is adopted here to safely ignore them, which is equivalent to a no-op; it will not perform any trimming and will not throw an error. [1] task:segctord state:D stack:28968 pid:6093 tgid:6093 ppid:2 task_flags:0x200040 flags:0x00080000 Call Trace: rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272 nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline] nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684 [ryusuke: corrected part of the commit message about the consequences]
Title nilfs2: Fix potential block overflow that cause system hang
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:02:26.549Z

Reserved: 2026-02-18T14:25:13.845Z

Link: CVE-2025-71237

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T16:22:30.517

Modified: 2026-03-18T14:58:45.933

Link: CVE-2025-71237

cve-icon Redhat

Severity :

Publid Date: 2026-02-18T00:00:00Z

Links: CVE-2025-71237 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:00:12Z

Weaknesses