CVE-2025-39723

EPSS 0.02%
Veröffentlicht 05.09.2025 17:21:31
Zuletzt bearbeitet 08.09.2025 16:25:38
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
Teams Watchlist Login
Unerledigt Login

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix unbuffered write error handling

If all the subrequests in an unbuffered write stream fail, the subrequest
collector doesn't update the stream->transferred value and it retains its
initial LONG_MAX value.  Unfortunately, if all active streams fail, then we
take the smallest value of { LONG_MAX, LONG_MAX, ... } as the value to set
in wreq->transferred - which is then returned from ->write_iter().

LONG_MAX was chosen as the initial value so that all the streams can be
quickly assessed by taking the smallest value of all stream->transferred -
but this only works if we've set any of them.

Fix this by adding a flag to indicate whether the value in
stream->transferred is valid and checking that when we integrate the
values.  stream->transferred can then be initialised to zero.

This was found by running the generic/750 xfstest against cifs with
cache=none.  It splices data to the target file.  Once (if) it has used up
all the available scratch space, the writes start failing with ENOSPC.
This causes ->write_iter() to fail.  However, it was returning
wreq->transferred, i.e. LONG_MAX, rather than an error (because it thought
the amount transferred was non-zero) and iter_file_splice_write() would
then try to clean up that amount of pipe bufferage - leading to an oops
when it overran.  The kernel log showed:

    CIFS: VFS: Send error in write = -28

followed by:

    BUG: kernel NULL pointer dereference, address: 0000000000000008

with:

    RIP: 0010:iter_file_splice_write+0x3a4/0x520
    do_splice+0x197/0x4e0

or:

    RIP: 0010:pipe_buf_release (include/linux/pipe_fs_i.h:282)
    iter_file_splice_write (fs/splice.c:755)

Also put a warning check into splice to announce if ->write_iter() returned
that it had written more than it was asked to.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < f08c80af3c9a9849cd178b4843b7c01d103506a1

Version 288ace2f57c9d06dd2e42bd80d03747d879a4068

Status affected

Version < 387164a2b97e1f5404c6d0049a7409bac7d2bc5b

Version 288ace2f57c9d06dd2e42bd80d03747d879a4068

Status affected

Version < a3de58b12ce074ec05b8741fa28d62ccb1070468

Version 288ace2f57c9d06dd2e42bd80d03747d879a4068

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.10

Status affected

Version < 6.10

Version 0

Status unaffected

Version <= 6.12.*

Version 6.12.44

Status unaffected

Version <= 6.16.*

Version 6.16.4

Status unaffected

Version <= *

Version 6.17-rc3

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.05

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

https://git.kernel.org/stable/c/f08c80af3c9a9849cd178b4843b7c01d103506a1

https://git.kernel.org/stable/c/387164a2b97e1f5404c6d0049a7409bac7d2bc5b

https://git.kernel.org/stable/c/a3de58b12ce074ec05b8741fa28d62ccb1070468

https://nvd.nist.gov/vuln/detail/CVE-2025-39723

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-39723

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-39723

EUVD