CVE-2025-37999: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's EROFS (Enhanced Read-Only File System) component was discovered and assigned CVE-2025-37999. The issue was disclosed on May 29, 2025, affecting the fs/erofs/fileio subsystem. The vulnerability was introduced by commit ce63cb62d794 ("erofs: support unencoded inodes for fileio") and became more easily exploitable after commit 9f74ae8c9ac9 reduced the bio array capacity from 256 to 16 folios (NVD, Debian Tracker).

The vulnerability occurs in the erofsfileioscanfolio() function when bioaddfolio() fails due to a full buffer. When this happens, the function needs to submit the I/O request via erofsfileiorqsubmit() and allocate a new I/O request with an empty struct bio. The issue stems from incorrect ordering of erofsonlinefoliosplit() calls relative to bioaddfolio(), which results in folio->private being incremented without a matching erofsonlinefolioend() call (NVD).

When exploited, this vulnerability results in folios becoming permanently locked, causing all waiters to become stuck in foliowaitbit_common(). This condition can lead to system resource exhaustion and potential denial of service conditions (Wiz).

The vulnerability has been fixed by modifying the code to invoke erofsonlinefoliosplit() only after bioaddfolio() has succeeded. This fix ensures proper synchronization between folio operations. The fix has been implemented in various Linux distributions, with Debian marking it as fixed in versions 6.12.29-1 and later (Debian Tracker).