-
CVE-2025-39691
- EPSS 0.04%
- Published 05.09.2025 17:20:57
- Last modified 08.09.2025 16:25:38
- Source 416baaa9-dc9f-4396-8d5f-8c081f
- Teams watchlist Login
- Open Login
In the Linux kernel, the following vulnerability has been resolved:
fs/buffer: fix use-after-free when call bh_read() helper
There's issue as follows:
BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110
Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0
CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_address_description.constprop.0+0x2c/0x390
print_report+0xb4/0x270
kasan_report+0xb8/0xf0
end_buffer_read_sync+0xe3/0x110
end_bio_bh_io_sync+0x56/0x80
blk_update_request+0x30a/0x720
scsi_end_request+0x51/0x2b0
scsi_io_completion+0xe3/0x480
? scsi_device_unbusy+0x11e/0x160
blk_complete_reqs+0x7b/0x90
handle_softirqs+0xef/0x370
irq_exit_rcu+0xa5/0xd0
sysvec_apic_timer_interrupt+0x6e/0x90
</IRQ>
Above issue happens when do ntfs3 filesystem mount, issue may happens
as follows:
mount IRQ
ntfs_fill_super
read_cache_page
do_read_cache_folio
filemap_read_folio
mpage_read_folio
do_mpage_readpage
ntfs_get_block_vbo
bh_read
submit_bh
wait_on_buffer(bh);
blk_complete_reqs
scsi_io_completion
scsi_end_request
blk_update_request
end_bio_bh_io_sync
end_buffer_read_sync
__end_buffer_read_notouch
unlock_buffer
wait_on_buffer(bh);--> return will return to caller
put_bh
--> trigger stack-out-of-bounds
In the mpage_read_folio() function, the stack variable 'map_bh' is
passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and
wait_on_buffer() returns to continue processing, the stack variable
is likely to be reclaimed. Consequently, during the end_buffer_read_sync()
process, calling put_bh() may result in stack overrun.
If the bh is not allocated on the stack, it belongs to a folio. Freeing
a buffer head which belongs to a folio is done by drop_buffers() which
will fail to free buffers which are still locked. So it is safe to call
put_bh() before __end_buffer_read_notouch().Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLinux
≫
Product
Linux
Default Statusunaffected
Version <
70a09115da586bf662c3bae9c0c4a1b99251fad9
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
3169edb8945c295cf89120fc6b2c35cfe3ad4c9e
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
03b40bf5d0389ca23ae6857ee25789f0e0b47ce8
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
c5aa6ba1127307ab5dc3773eaf40d73a3423841f
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
042cf48ecf67f72c8b3846c7fac678f472712ff3
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
90b5193edb323fefbee0e4e5bc39ed89dcc37719
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
Version <
7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status
affected
VendorLinux
≫
Product
Linux
Default Statusaffected
Version
2.6.12
Status
affected
Version <
2.6.12
Version
0
Status
unaffected
Version <=
5.4.*
Version
5.4.297
Status
unaffected
Version <=
5.10.*
Version
5.10.241
Status
unaffected
Version <=
5.15.*
Version
5.15.190
Status
unaffected
Version <=
6.1.*
Version
6.1.149
Status
unaffected
Version <=
6.6.*
Version
6.6.103
Status
unaffected
Version <=
6.12.*
Version
6.12.44
Status
unaffected
Version <=
6.16.*
Version
6.16.4
Status
unaffected
Version <=
*
Version
6.17-rc3
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.092 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|