CVE-2025-40007: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-40007 is a reference leak vulnerability in the Linux kernel's netfs subsystem, discovered and disclosed on October 20, 2025. The issue affects the netfsallocrequest() function, which was modified to initialize the reference counter incorrectly, leading to potential memory leaks (NVD).

The vulnerability stems from a modification in commit 20d72b00ca81 that changed netfsallocrequest() to initialize the reference counter to 2 instead of 1. While the second reference was intended to be released by the request's work item after completion, it creates a leak when the request is released before I/O operation submission. The error code path only decrements the counter once, and the work item never queues due to lack of completion. Red Hat has assigned this vulnerability a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (Red Hat).

The vulnerability has caused server cluster outages by blocking tasks in netfswaitforoutstandingio(), leading to deadlocks in Ceph. The issue occurs when netfspgpriv2begincopytocache() fails in fscachebeginwriteoperation(), resulting in leaked netfsiorequest objects and permanently positive netfsinode.iocount values (NVD).

A fix has been implemented that introduces a new function netfsputfailedrequest() which frees failed requests synchronously, assuming a reference count of exactly 2. The fix includes modifying early failure code paths to use this new function instead of netfsputrequest(). Additionally, a netfsputrequest() call has been added to netfsunbuffered_read() (NVD).