fio (Flexible I/O Tester) version 3.41 has a flaw in the job file parser where the fdp_pli option is invoked without an argument. The callback function for this option performs a string duplication on a NULL value, resulting in a segmentation fault that terminates the process. This vulnerability allows an attacker who can supply a malformed job file to force fio to crash, disrupting any instance where it is being used for benchmarking or testing. The weakness is a classic null pointer dereference, a type of bug that typically leads to denial of service rather than code execution.

The affected product is fio Flexible I/O Tester v3.41 as disclosed. No other versions are listed in the advisory, so the impact is limited to installations of this exact version unless the same code path remains unchanged in later releases.

No EPSS score and no CISA KEV listing are available, implying that no public exploitation has been observed or catalogued. The likely attack vector is manual or automated input of a job file that contains the fdp_pli option without an argument; an attacker with the ability to influence job inputs can trigger the crash. Because the vulnerability causes a segmentation fault, exploitation is limited to denial of service. However, in environments where fio is run with elevated privileges or where a crash could lead to broader system instability, the risk is elevated. With a CVSS score of 7.5, the vulnerability is considered high severity and warrants immediate patching, yet it remains a local vulnerability requiring privileged or local access to craft the malicious job file.