CVE-2025-40105: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-40105 is a vulnerability in the Linux kernel's Virtual File System (VFS) that was discovered and disclosed on October 30, 2025. The issue affects the handling of disconnected dentries during unmount operations, specifically when using the openbyhandle_at() system call (Red Hat CVE, Debian Tracker).

The vulnerability occurs when openbyhandleat() is called on an uncached inode, creating a disconnected dentry. If this dentry is a directory, exportfsdecodefhraw() attempts to connect it to the dentry tree through reconnectpath(). Due to various conditions like corrupted filesystems or race conditions with rename operations, lookuponeunlocked() in reconnectone() may fail to find the target dentry and instead create a new one under the parent. This new dentry isn't properly marked as disconnected, leading to inconsistency in disconnected flags. The issue became more significant after commit f1ee616214cb which changed how disconnected dentries are handled (Red Hat CVE). The vulnerability has been assigned a CVSS v3.1 base score of 5.5, with attack vector being Local (AV:L), attack complexity Low (AC:L), and requiring low privileges (PR:L) (Red Hat CVE).

The primary impact of this vulnerability is resource exhaustion. When affected dentries aren't properly marked as disconnected, they aren't reclaimed as expected, leading to memory leaks. These leaked dentries persist in memory until either memory reclaim occurs or the system encounters the 'Busy inodes after unmount' error during unmount operations (Red Hat CVE).

The fix involves ensuring that all dentries created under a disconnected parent are properly marked as disconnected. This has been implemented in Linux kernel version 6.17.6-1 for some distributions. For other versions, the fix is either deferred or pending. Red Hat Enterprise Linux 7 is not affected, while versions 8, 9, and 10 have deferred fixes (Red Hat CVE, Debian Tracker).