CVE-2025-38579
HIGHDescription
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix KMSAN uninit-value in extent_info usage KMSAN reported a use of uninitialized value in `__is_extent_mergeable()` and `__is_back_mergeable()` via the read extent tree path. The root cause is that `get_read_extent_info()` only initializes three fields (`fofs`, `blk`, `len`) of `struct extent_info`, leaving the remaining fields uninitialized. This leads to undefined behavior when those fields are accessed later, especially during extent merging. Fix it by zero-initializing the `extent_info` struct before population.
Is your site exposed to CVE-2025-38579?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| linux | linux_kernel |
| linux | linux_kernel |
| linux | linux_kernel |
| linux | linux_kernel |
| linux | linux_kernel |
| linux | linux_kernel |
| debian | debian_linux |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2025-38579? +
How severe is CVE-2025-38579? +
What products are affected by CVE-2025-38579? +
How do I check if I'm vulnerable to CVE-2025-38579? +
Related Vulnerabilities
In high traffic environments, a Silicon Labs OpenThread RCP (see impacted versions) fails to clear the SPI transmit buffer and …
Use of uninitialized resource within the AMD Platform Management Framework (PMF) could allow an attacker to read a uninitialized kernel …
When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result …
HDF5 Library through 1.14.3 may use an uninitialized value in H5A__attr_release_table in H5Aint.c.
Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the …