-

CVE-2025-40044

In the Linux kernel, the following vulnerability has been resolved:

fs: udf: fix OOB read in lengthAllocDescs handling

When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
on-disk data and must be validated against the block size. Crafted or
corrupted images may set lengthAllocDescs so that the total descriptor
length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
trigger a KASAN use-after-free read.

BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309

CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
 udf_release_file+0xc1/0x120 fs/udf/file.c:185
 __fput+0x23f/0x880 fs/file_table.c:431
 task_work_run+0x24f/0x310 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xa2f/0x28e0 kernel/exit.c:939
 do_group_exit+0x207/0x2c0 kernel/exit.c:1088
 __do_sys_exit_group kernel/exit.c:1099 [inline]
 __se_sys_exit_group kernel/exit.c:1097 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 </TASK>

Validate the computed total length against epos->bh->b_size.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < 14496175b264d30c2045584ee31d062af2e3a660
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 1d1847812a1a5375c10a2a779338df643f79c047
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 918649364fbca7d5df72522ca795479edcd25f91
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < a70dcfa8d0a0cc530a6af59483dfca260b652c1b
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 459404f858213967ccfff336c41747d8dd186d38
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 3bd5e45c2ce30e239d596becd5db720f7eb83c99
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 2.6.12
Status affected
Version < 2.6.12
Version 0
Status unaffected
Version <= 5.4.*
Version 5.4.301
Status unaffected
Version <= 5.10.*
Version 5.10.246
Status unaffected
Version <= 5.15.*
Version 5.15.195
Status unaffected
Version <= 6.1.*
Version 6.1.156
Status unaffected
Version <= 6.6.*
Version 6.6.112
Status unaffected
Version <= 6.12.*
Version 6.12.53
Status unaffected
Version <= 6.17.*
Version 6.17.3
Status unaffected
Version <= *
Version 6.18
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.07% 0.216
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String