U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2025-38579 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix KMSAN uninit-value in extent_info usage KMSAN reported a use of uninitialized value in `__is_extent_mergeable()` and `__is_back_mergeable()` via the read extent tree path. The root cause is that `get_read_extent_info()` only initializes three fields (`fofs`, `blk`, `len`) of `struct extent_info`, leaving the remaining fields uninitialized. This leads to undefined behavior when those fields are accessed later, especially during extent merging. Fix it by zero-initializing the `extent_info` struct before population.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://git.kernel.org/stable/c/01b6f5955e0008af6bc3a181310d2744bb349800 kernel.org Patch 
https://git.kernel.org/stable/c/08e8ab00a6d20d5544c932ee85a297d833895141 kernel.org Patch 
https://git.kernel.org/stable/c/154467f4ad033473e5c903a03e7b9bca7df9a0fa kernel.org Patch 
https://git.kernel.org/stable/c/44a79437309e0ee2276ac17aaedc71253af253a8 kernel.org Patch 
https://git.kernel.org/stable/c/cc1615d5aba4f396cf412579928539a2b124c8a0 kernel.org Patch 
https://git.kernel.org/stable/c/dabfa3952c8e6bfe6414dbf32e8b6c5f349dc898 kernel.org Patch 
https://git.kernel.org/stable/c/e68b751ec2b15d866967812c57cfdfc1eba6a269 kernel.org Patch 
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html CVE Mailing List  Third Party Advisory 

Weakness Enumeration

CWE-ID CWE Name Source
CWE-908 Use of Uninitialized Resource cwe source acceptance level NIST  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2025-38579
NVD Published Date:
08/19/2025
NVD Last Modified:
01/09/2026
Source:
kernel.org