{ "threat_severity" : "Moderate", "public_date" : "2026-02-14T00:00:00Z", "bugzilla" : { "description" : "kernel: netfs: Fix early read unlock of page with EOF in middle", "id" : "2439861", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2439861" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-826", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfs: Fix early read unlock of page with EOF in middle\nThe read result collection for buffered reads seems to run ahead of the\ncompletion of subrequests under some circumstances, as can be seen in the\nfollowing log snippet:\n9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0\n...\nnetfs_sreq: R=00001b55[1] DOWN TERM f=192 s=0 5fb2/5fb2 s=5 e=0\n...\nnetfs_collect_folio: R=00001b55 ix=00004 r=4000-5000 t=4000/5fb2\nnetfs_folio: i=157f3 ix=00004-00004 read-done\nnetfs_folio: i=157f3 ix=00004-00004 read-unlock\nnetfs_collect_folio: R=00001b55 ix=00005 r=5000-5fb2 t=5000/5fb2\nnetfs_folio: i=157f3 ix=00005-00005 read-done\nnetfs_folio: i=157f3 ix=00005-00005 read-unlock\n...\nnetfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff\nnetfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=c\nnetfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff\nnetfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=8\n...\nnetfs_sreq: R=00001b55[2] ZERO SUBMT f=000 s=5fb2 0/4e s=0 e=0\nnetfs_sreq: R=00001b55[2] ZERO TERM f=102 s=5fb2 4e/4e s=5 e=0\nThe 'cto=5fb2' indicates the collected file pos we've collected results to\nso far - but we still have 0x4e more bytes to go - so we shouldn't have\ncollected folio ix=00005 yet. The 'ZERO' subreq that clears the tail\nhappens after we unlock the folio, allowing the application to see the\nuncleared tail through mmap.\nThe problem is that netfs_read_unlock_folios() will unlock a folio in which\nthe amount of read results collected hits EOF position - but the ZERO\nsubreq lies beyond that and so happens after.\nFix this by changing the end check to always be the end of the folio and\nnever the end of the file.\nIn the future, I should look at clearing to the end of the folio here rather\nthan adding a ZERO subreq to do this. On the other hand, the ZERO subreq can\nrun in parallel with an async READ subreq. Further, the ZERO subreq may still\nbe necessary to, say, handle extents in a ceph file that don't have any\nbacking store and are thus implicitly all zeros.\nThis can be reproduced by creating a file, the size of which doesn't align\nto a page boundary, e.g. 24998 (0x5fb2) bytes and then doing something\nlike:\nxfs_io -c \"mmap -r 0 0x6000\" -c \"madvise -d 0 0x6000\" \\\n-c \"mread -v 0 0x6000\" /xfstest.test/x\nThe last 0x4e bytes should all be 00, but if the tail hasn't been cleared\nyet, you may see rubbish there. This can be reproduced with kafs by\nmodifying the kernel to disable the call to netfs_read_subreq_progress()\nand to stop afs_issue_read() from doing the async call for NETFS_READAHEAD.\nReproduction can be made easier by inserting an mdelay(100) in\nnetfs_issue_read() for the ZERO-subreq case.\nAFS and CIFS are normally unlikely to show this as they dispatch READ ops\nasynchronously, which allows the ZERO-subreq to finish first. 9P's READ op is\ncompletely synchronous, so the ZERO-subreq will always happen after. It isn't\nseen all the time, though, because the collection may be done in a worker\nthread.", "A race condition flaw was found in the Linux kernel's netfs subsystem. In the netfs_read_unlock_folios() function, a folio (memory page) may be unlocked prematurely before the ZERO subrequest completes clearing the tail portion of the page beyond the end-of-file. This allows an application using mmap to observe uninitialized kernel memory contents in the uncleared tail region, potentially leading to information disclosure." ], "statement" : "This flaw primarily affects network filesystems using the netfs helper library, particularly 9P which uses synchronous reads. AFS and CIFS are less likely to exhibit this behavior due to their asynchronous read dispatch. The information disclosure is limited to uninitialized page contents and requires specific file sizes and mmap access patterns.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20095", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.8.1.el10_1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-71201\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-71201\nhttps://lore.kernel.org/linux-cve-announce/2026021428-CVE-2025-71201-9d67@gregkh/T" ], "name" : "CVE-2025-71201", "csaw" : false }