CVE-2025-39731: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-39731 is a vulnerability discovered in the Linux kernel's F2FS (Flash-Friendly File System) implementation, specifically related to the vm_unmap_ram() function being called from an invalid context. The vulnerability was disclosed on September 7, 2025, and affects various Linux distributions and systems using the F2FS filesystem (NVD, Ubuntu).

The vulnerability occurs when f2fs_release_decomp_mem() calls vm_unmap_ram() from an invalid context during F2FS operations with UFS backed virtual disks. The issue manifests as a sleeping function being called from an invalid context at mm/vmalloc.c:2978, with specific conditions including in_atomic(): 1, irqs_disabled(): 1, and non_block: 0. The vulnerability has been assigned a CVSS v3 base score of 5.5, indicating moderate severity (NVD).

The vulnerability can lead to system instability and potential crashes when F2FS filesystem operations are performed under specific conditions. This particularly affects systems using UFS backed virtual disks with F2FS, where the improper context handling can trigger kernel warnings and potentially compromise system stability (NVD).

A patch has been developed that modifies the in_task() check inside f2fs_read_end_io() to also verify if interrupts are disabled. This ensures that pages are unmapped asynchronously in an interrupt handler. The fix has been incorporated into various Linux distributions, with Ubuntu marking it as affecting their newer releases (25.04 and 24.04 LTS) while older versions are not affected (Ubuntu).