CVE-2025-39878

MEDIUM

Linux Kernel 6.15-6.16.7 - NULL Pointer Dereference in ceph_writepages_start

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error The function move_dirty_folio_in_page_array() was created by commit ce80b76dd327 ("ceph: introduce ceph_process_folio_batch() method") by moving code from ceph_writepages_start() to this function. This new function is supposed to return an error code which is checked by the caller (now ceph_process_folio_batch()), and on error, the caller invokes redirty_page_for_writepage() and then breaks from the loop. However, the refactoring commit has gone wrong, and it by accident, it always returns 0 (= success) because it first NULLs the pointer and then returns PTR_ERR(NULL) which is always 0. This means errors are silently ignored, leaving NULL entries in the page array, which may later crash the kernel. The simple solution is to call PTR_ERR() before clearing the pointer.

References (2)

Core 2

Core References

Patch

https://git.kernel.org/stable/c/dd1616ecbea920d228c56729461ed223cc501425

Patch

https://git.kernel.org/stable/c/249e0a47cdb46bb9eae65511c569044bd8698d7d

Scores

CVSS v3 5.5

EPSS 0.0012

EPSS Percentile 2.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (9)

linux/Kernel 6.15.0 - 6.16.8linux

Linux/Linux < 6.15

Linux/Linux 6.15

Linux/Linux 6.16.8 - 6.16.*

Linux/Linux 6.17

Linux/Linux ce80b76dd32764cc914975777e058d4fae4f0ea0 - 249e0a47cdb46bb9eae65511c569044bd8698d7d

Linux/Linux ce80b76dd32764cc914975777e058d4fae4f0ea0 - dd1616ecbea920d228c56729461ed223cc501425

linux/linux_kernel 6.17 rc1 (5 CPE variants)

linux/linux_kernel 6.15 - 6.16.8

Published Sep 23, 2025

Tracked Since Feb 18, 2026