In the Linux kernel, the following vulnerability has been resolved:
gfs2: No more self recovery
When a node withdraws and it turns out that it is the only node that has
the filesystem mounted, gfs2 currently tries to replay the local journal
to bring the filesystem back into a consistent state. Not only is that
a very bad idea, it has also never worked because gfs2_recover_func()
will refuse to do anything during a withdraw.
However, before even getting to this point, gfs2_recover_func()
dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before
commit 04133b607a78 ("gfs2: Prevent double iput for journal on error")
and is a NULL pointer dereference since then.
Simply get rid of self recovery to fix that.
Security readout for executives and security teams
Plain-English summary
CVE-2025-38659 is a Linux kernel GFS2 filesystem flaw. During a withdrawal on a single mounted node, the kernel tried an unsafe self-recovery path that could dereference invalid or NULL journal data. The public sources describe a kernel stability issue, not confirmed data theft or remote compromise.
Executive priority
Treat as targeted infrastructure hygiene unless GFS2 is in production use. For GFS2 clusters or shared-storage workloads, prioritize kernel patching because the flaw affects filesystem recovery behavior and could impact availability.
Technical view
The GFS2 fix removes self recovery. The vulnerable path reaches gfs2_recover_func(), which dereferences sdp->sd_jdesc->jd_inode. Sources state this was previously a use-after-free and later a NULL pointer dereference after an earlier journal iput fix. Severity and CVSS are not provided.
Likely exposure
Exposure is limited to Linux systems using the GFS2 filesystem on affected kernel builds listed by the CVE source. Systems not using GFS2 are unlikely to be exposed based on the provided evidence.
Exploitation context
No provided source states active exploitation, and KEV is false. The described condition involves GFS2 withdrawal and attempted local journal recovery when the node is the only mounted node. The sources do not describe remote attack prerequisites.
Researcher notes
The source bundle lacks CVSS, CWE, distribution advisories, and exploitability analysis. The fix rationale is clear: remove a broken self-recovery path that can dereference freed or NULL journal state during withdrawal.
Mitigation direction
Apply Linux kernel updates containing the referenced GFS2 stable fixes.
Prioritize systems that mount or support GFS2 filesystems.
Check distribution vendor advisories for packaged fixed kernel versions.
Avoid GFS2 use on unpatched kernels where operationally feasible.
Validation and detection
Inventory Linux hosts and identify any mounted GFS2 filesystems.
Map running kernel versions to vendor-fixed releases or referenced stable commits.
Review kernel logs for GFS2 withdraw or recovery-related failures.
Confirm patched systems include the self-recovery removal fix.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-38659 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
8Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Aug 22, 2025, 16:01 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.