LiveActive security incident?Get immediate response
CVE Record

CVE-2025-38659: gfs2: No more self recovery

In the Linux kernel, the following vulnerability has been resolved: gfs2: No more self recovery When a node withdraws and it turns out that it is the only node that has the filesystem mounted, gfs2 currently tries to replay the local journal to bring the filesystem back into a consistent state. Not only is that a very bad idea, it has also never worked because gfs2_recover_func() will refuse to do anything during a withdraw. However, before even getting to this point, gfs2_recover_func() dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before commit 04133b607a78 ("gfs2: Prevent double iput for journal on error") and is a NULL pointer dereference since then. Simply get rid of self recovery to fix that.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2025-38659 is a Linux kernel GFS2 filesystem flaw. During a withdrawal on a single mounted node, the kernel tried an unsafe self-recovery path that could dereference invalid or NULL journal data. The public sources describe a kernel stability issue, not confirmed data theft or remote compromise.

Executive priority

Treat as targeted infrastructure hygiene unless GFS2 is in production use. For GFS2 clusters or shared-storage workloads, prioritize kernel patching because the flaw affects filesystem recovery behavior and could impact availability.

Technical view

The GFS2 fix removes self recovery. The vulnerable path reaches gfs2_recover_func(), which dereferences sdp->sd_jdesc->jd_inode. Sources state this was previously a use-after-free and later a NULL pointer dereference after an earlier journal iput fix. Severity and CVSS are not provided.

Likely exposure

Exposure is limited to Linux systems using the GFS2 filesystem on affected kernel builds listed by the CVE source. Systems not using GFS2 are unlikely to be exposed based on the provided evidence.

Exploitation context

No provided source states active exploitation, and KEV is false. The described condition involves GFS2 withdrawal and attempted local journal recovery when the node is the only mounted node. The sources do not describe remote attack prerequisites.

Researcher notes

The source bundle lacks CVSS, CWE, distribution advisories, and exploitability analysis. The fix rationale is clear: remove a broken self-recovery path that can dereference freed or NULL journal state during withdrawal.

Mitigation direction

  • Apply Linux kernel updates containing the referenced GFS2 stable fixes.
  • Prioritize systems that mount or support GFS2 filesystems.
  • Check distribution vendor advisories for packaged fixed kernel versions.
  • Avoid GFS2 use on unpatched kernels where operationally feasible.

Validation and detection

  • Inventory Linux hosts and identify any mounted GFS2 filesystems.
  • Map running kernel versions to vendor-fixed releases or referenced stable commits.
  • Review kernel logs for GFS2 withdraw or recovery-related failures.
  • Confirm patched systems include the self-recovery removal fix.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-38659 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
8Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux601ef0d52e9617588fcff3df26953592f2eb44ac, 601ef0d52e9617588fcff3df26953592f2eb44ac, 601ef0d52e9617588fcff3df26953592f2eb44ac, 601ef0d52e9617588fcff3df26953592f2eb44ac, 601ef0d52e9617588fcff3df26953592f2eb44ac, 601ef0d52e9617588fcff3df26953592f2eb44ac, 601ef0d52e9617588fcff3df26953592f2eb44acunaffected
LinuxLinux5.7, 0, 5.15.209, 6.1.167, 6.6.102, 6.12.42, 6.15.10, 6.16.1, 6.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.