CVE-2025-21667: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21667 is a vulnerability discovered in the Linux kernel affecting the iomap subsystem. The issue was identified and disclosed on January 31, 2025, involving a 64-bit offset truncation bug on 32-bit kernels. Specifically, the vulnerability affects multiple versions of the Linux kernel up to versions 6.1.127, 6.6.74, and 6.12.11 (NVD).

The vulnerability occurs in the iomap_write_delalloc_scan() function where a 32-bit position is inadvertently used due to folio_next_index() returning an unsigned long on 32-bit kernels. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition - 'Infinite Loop') (NVD, Red Hat).

The vulnerability can lead to an infinite loop condition when writing to an XFS filesystem on 32-bit kernels. This results in a denial of service through unexpected resource consumption, potentially affecting CPU cycles and system memory, which can significantly impact system availability (Red Hat).

The vulnerability has been patched in the Linux kernel. The fix involves replacing the use of folio_next_index() with a combination of folio_pos() and folio_size() to properly handle 64-bit offsets. Updated kernel versions have been released: 6.1.128 and later, 6.6.75 and later, and 6.12.12 and later (Kernel Patch).