CVE-2025-23150 (GCVE-0-2025-23150)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2026-05-23 15:58
VLAI
Title
ext4: fix off-by-one error in do_split
Summary
In the Linux kernel, the following vulnerability has been resolved: ext4: fix off-by-one error in do_split Syzkaller detected a use-after-free issue in ext4_insert_dentry that was caused by out-of-bounds access due to incorrect splitting in do_split. BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847 CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431 vfs_symlink+0x137/0x2e0 fs/namei.c:4615 do_symlinkat+0x222/0x3a0 fs/namei.c:4641 __do_sys_symlink fs/namei.c:4662 [inline] __se_sys_symlink fs/namei.c:4660 [inline] __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The following loop is located right above 'if' statement. for (i = count-1; i >= 0; i--) { /* is more than half of this entry in 2nd half of the block? */ if (size + map[i].size/2 > blocksize/2) break; size += map[i].size; move++; } 'i' in this case could go down to -1, in which case sum of active entries wouldn't exceed half the block size, but previous behaviour would also do split in half if sum would exceed at the very last block, which in case of having too many long name files in a single block could lead to out-of-bounds access and following use-after-free. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: ea54176e5821936d109bb45dc2c19bd53559e735 , < b96bd2c3db26ad0daec5b78c85c098b53900e2e1 (git)
Affected: 5872331b3d91820e14716632ebb56b1399b34fe1 , < 515c34cff899eb5dae6aa7eee01c1295b07d81af (git)
Affected: 5872331b3d91820e14716632ebb56b1399b34fe1 , < 2883e9e74f73f9265e5f8d1aaaa89034b308e433 (git)
Affected: 5872331b3d91820e14716632ebb56b1399b34fe1 , < 35d0aa6db9d93307085871ceab8a729594a98162 (git)
Affected: 5872331b3d91820e14716632ebb56b1399b34fe1 , < 2eeb1085bf7bd5c7ba796ca4119925fa5d336a3f (git)
Affected: 5872331b3d91820e14716632ebb56b1399b34fe1 , < 16d9067f00e3a7d1df7c3aa9c20d214923d27e10 (git)
Affected: 5872331b3d91820e14716632ebb56b1399b34fe1 , < 17df39f455f1289319d4d09e4826aa46852ffd17 (git)
Affected: 5872331b3d91820e14716632ebb56b1399b34fe1 , < ab0cc5c25552ae0d20eae94b40a93be11b080fc5 (git)
Affected: 5872331b3d91820e14716632ebb56b1399b34fe1 , < 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d (git)
Affected: 059b1480105478c5f68cf664301545b8cad6a7cf (git)
Affected: 539ae3e03875dacaa9c388aff141ccbb4ef4ecb5 (git)
Affected: fbbfd55a40d5d0806b59ee0403c75d5ac517533f (git)
Affected: b3ddf6ba5e28a57729fff1605ae08e21be5c92e3 (git)
Affected: e50fe43e3062e18846e99d9646b9c07b097eb1ed (git)
Affected: 88e79f7a9841278fa8ff7ff6178bad12da002ffc (git)
Affected: 5.4.61 , < 5.4.293 (semver)
Affected: 4.4.234 , < 4.5 (semver)
Affected: 4.9.234 , < 4.10 (semver)
Affected: 4.14.195 , < 4.15 (semver)
Affected: 4.19.142 , < 4.20 (semver)
Affected: 5.7.18 , < 5.8 (semver)
Affected: 5.8.4 , < 5.9 (semver)
Create a notification for this product.
Linux Linux Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:46.918Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b96bd2c3db26ad0daec5b78c85c098b53900e2e1",
              "status": "affected",
              "version": "ea54176e5821936d109bb45dc2c19bd53559e735",
              "versionType": "git"
            },
            {
              "lessThan": "515c34cff899eb5dae6aa7eee01c1295b07d81af",
              "status": "affected",
              "version": "5872331b3d91820e14716632ebb56b1399b34fe1",
              "versionType": "git"
            },
            {
              "lessThan": "2883e9e74f73f9265e5f8d1aaaa89034b308e433",
              "status": "affected",
              "version": "5872331b3d91820e14716632ebb56b1399b34fe1",
              "versionType": "git"
            },
            {
              "lessThan": "35d0aa6db9d93307085871ceab8a729594a98162",
              "status": "affected",
              "version": "5872331b3d91820e14716632ebb56b1399b34fe1",
              "versionType": "git"
            },
            {
              "lessThan": "2eeb1085bf7bd5c7ba796ca4119925fa5d336a3f",
              "status": "affected",
              "version": "5872331b3d91820e14716632ebb56b1399b34fe1",
              "versionType": "git"
            },
            {
              "lessThan": "16d9067f00e3a7d1df7c3aa9c20d214923d27e10",
              "status": "affected",
              "version": "5872331b3d91820e14716632ebb56b1399b34fe1",
              "versionType": "git"
            },
            {
              "lessThan": "17df39f455f1289319d4d09e4826aa46852ffd17",
              "status": "affected",
              "version": "5872331b3d91820e14716632ebb56b1399b34fe1",
              "versionType": "git"
            },
            {
              "lessThan": "ab0cc5c25552ae0d20eae94b40a93be11b080fc5",
              "status": "affected",
              "version": "5872331b3d91820e14716632ebb56b1399b34fe1",
              "versionType": "git"
            },
            {
              "lessThan": "94824ac9a8aaf2fb3c54b4bdde842db80ffa555d",
              "status": "affected",
              "version": "5872331b3d91820e14716632ebb56b1399b34fe1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "059b1480105478c5f68cf664301545b8cad6a7cf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "539ae3e03875dacaa9c388aff141ccbb4ef4ecb5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fbbfd55a40d5d0806b59ee0403c75d5ac517533f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b3ddf6ba5e28a57729fff1605ae08e21be5c92e3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e50fe43e3062e18846e99d9646b9c07b097eb1ed",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "88e79f7a9841278fa8ff7ff6178bad12da002ffc",
              "versionType": "git"
            },
            {
              "lessThan": "5.4.293",
              "status": "affected",
              "version": "5.4.61",
              "versionType": "semver"
            },
            {
              "lessThan": "4.5",
              "status": "affected",
              "version": "4.4.234",
              "versionType": "semver"
            },
            {
              "lessThan": "4.10",
              "status": "affected",
              "version": "4.9.234",
              "versionType": "semver"
            },
            {
              "lessThan": "4.15",
              "status": "affected",
              "version": "4.14.195",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20",
              "status": "affected",
              "version": "4.19.142",
              "versionType": "semver"
            },
            {
              "lessThan": "5.8",
              "status": "affected",
              "version": "5.7.18",
              "versionType": "semver"
            },
            {
              "lessThan": "5.9",
              "status": "affected",
              "version": "5.8.4",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "5.4.61",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.234",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.234",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.195",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.142",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.7.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.8.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off-by-one error in do_split\n\nSyzkaller detected a use-after-free issue in ext4_insert_dentry that was\ncaused by out-of-bounds access due to incorrect splitting in do_split.\n\nBUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\nWrite of size 251 at addr ffff888074572f14 by task syz-executor335/5847\n\nCPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\n add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154\n make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455\n ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796\n ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431\n vfs_symlink+0x137/0x2e0 fs/namei.c:4615\n do_symlinkat+0x222/0x3a0 fs/namei.c:4641\n __do_sys_symlink fs/namei.c:4662 [inline]\n __se_sys_symlink fs/namei.c:4660 [inline]\n __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nThe following loop is located right above \u0027if\u0027 statement.\n\nfor (i = count-1; i \u003e= 0; i--) {\n\t/* is more than half of this entry in 2nd half of the block? */\n\tif (size + map[i].size/2 \u003e blocksize/2)\n\t\tbreak;\n\tsize += map[i].size;\n\tmove++;\n}\n\n\u0027i\u0027 in this case could go down to -1, in which case sum of active entries\nwouldn\u0027t exceed half the block size, but previous behaviour would also do\nsplit in half if sum would exceed at the very last block, which in case of\nhaving too many long name files in a single block could lead to\nout-of-bounds access and following use-after-free.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:58:03.577Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b96bd2c3db26ad0daec5b78c85c098b53900e2e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/515c34cff899eb5dae6aa7eee01c1295b07d81af"
        },
        {
          "url": "https://git.kernel.org/stable/c/2883e9e74f73f9265e5f8d1aaaa89034b308e433"
        },
        {
          "url": "https://git.kernel.org/stable/c/35d0aa6db9d93307085871ceab8a729594a98162"
        },
        {
          "url": "https://git.kernel.org/stable/c/2eeb1085bf7bd5c7ba796ca4119925fa5d336a3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/16d9067f00e3a7d1df7c3aa9c20d214923d27e10"
        },
        {
          "url": "https://git.kernel.org/stable/c/17df39f455f1289319d4d09e4826aa46852ffd17"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab0cc5c25552ae0d20eae94b40a93be11b080fc5"
        },
        {
          "url": "https://git.kernel.org/stable/c/94824ac9a8aaf2fb3c54b4bdde842db80ffa555d"
        }
      ],
      "title": "ext4: fix off-by-one error in do_split",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23150",
    "datePublished": "2025-05-01T12:55:38.190Z",
    "dateReserved": "2025-01-11T14:28:41.513Z",
    "dateUpdated": "2026-05-23T15:58:03.577Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-23150",
      "date": "2026-05-27",
      "epss": "0.00063",
      "percentile": "0.19755"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-23150\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T13:15:50.893\",\"lastModified\":\"2025-11-05T18:03:36.057\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix off-by-one error in do_split\\n\\nSyzkaller detected a use-after-free issue in ext4_insert_dentry that was\\ncaused by out-of-bounds access due to incorrect splitting in do_split.\\n\\nBUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\\nWrite of size 251 at addr ffff888074572f14 by task syz-executor335/5847\\n\\nCPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\\nCall Trace:\\n \u003cTASK\u003e\\n __dump_stack lib/dump_stack.c:94 [inline]\\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x169/0x550 mm/kasan/report.c:488\\n kasan_report+0x143/0x180 mm/kasan/report.c:601\\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\\n ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\\n add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154\\n make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351\\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455\\n ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796\\n ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431\\n vfs_symlink+0x137/0x2e0 fs/namei.c:4615\\n do_symlinkat+0x222/0x3a0 fs/namei.c:4641\\n __do_sys_symlink fs/namei.c:4662 [inline]\\n __se_sys_symlink fs/namei.c:4660 [inline]\\n __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660\\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n \u003c/TASK\u003e\\n\\nThe following loop is located right above \u0027if\u0027 statement.\\n\\nfor (i = count-1; i \u003e= 0; i--) {\\n\\t/* is more than half of this entry in 2nd half of the block? */\\n\\tif (size + map[i].size/2 \u003e blocksize/2)\\n\\t\\tbreak;\\n\\tsize += map[i].size;\\n\\tmove++;\\n}\\n\\n\u0027i\u0027 in this case could go down to -1, in which case sum of active entries\\nwouldn\u0027t exceed half the block size, but previous behaviour would also do\\nsplit in half if sum would exceed at the very last block, which in case of\\nhaving too many long name files in a single block could lead to\\nout-of-bounds access and following use-after-free.\\n\\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ext4: se corrige el error de uno en uno en do_split Syzkaller detect\u00f3 un problema de use-after-free en ext4_insert_dentry que fue causado por un acceso fuera de los l\u00edmites debido a una divisi\u00f3n incorrecta en do_split. ERROR: KASAN: use-after-free en ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Escritura de tama\u00f1o 251 en la direcci\u00f3n ffff888074572f14 por la tarea syz-executor335/5847 CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 No contaminado 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 30/10/2024 Rastreo de llamadas:   __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431 vfs_symlink+0x137/0x2e0 fs/namei.c:4615 do_symlinkat+0x222/0x3a0 fs/namei.c:4641 __do_sys_symlink fs/namei.c:4662 [inline] __se_sys_symlink fs/namei.c:4660 [inline] __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f  El siguiente bucle se encuentra justo encima de la declaraci\u00f3n \u0027if\u0027. for (i = count-1; i \u0026gt;= 0; i--) { /* \u00bfhay m\u00e1s de la mitad de esta entrada en la 2da mitad del bloque? */ if (size + map[i].size/2 \u0026gt; blocksize/2) break; size += map[i].size; move++; } En este caso, la \u0027i\u0027 podr\u00eda bajar a -1, en cuyo caso la suma de las entradas activas no superar\u00eda la mitad del tama\u00f1o del bloque. Sin embargo, el comportamiento anterior tambi\u00e9n se dividir\u00eda por la mitad si la suma superara el tama\u00f1o del \u00faltimo bloque. Esto, al tener demasiados archivos con nombres largos en un solo bloque, podr\u00eda provocar un acceso fuera de los l\u00edmites y el consiguiente uso despu\u00e9s de la liberaci\u00f3n. Encontrado por el Centro de Verificaci\u00f3n de Linux (linuxtesting.org) con Syzkaller.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-193\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.4.234\",\"versionEndExcluding\":\"4.5\",\"matchCriteriaId\":\"828A2CDB-B224-45AA-9561-4FCB1D464807\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.9.234\",\"versionEndExcluding\":\"4.10\",\"matchCriteriaId\":\"1CA6F6DB-8D68-4032-86B2-DAF5F766ACE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.14.195\",\"versionEndExcluding\":\"4.15\",\"matchCriteriaId\":\"95AB963D-E230-42F5-B369-0B44029D2718\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.19.142\",\"versionEndExcluding\":\"4.20\",\"matchCriteriaId\":\"DC87236D-0EFA-41DF-BBE9-FF75394EBBD3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4.61\",\"versionEndExcluding\":\"5.4.293\",\"matchCriteriaId\":\"272803FC-25EE-4BB2-A85A-B7B4ABE3DE5F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.7.18\",\"versionEndExcluding\":\"5.8\",\"matchCriteriaId\":\"8141C666-AECC-41B8-BD7E-DED92216B4A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.8.4\",\"versionEndExcluding\":\"5.9\",\"matchCriteriaId\":\"560FB3D4-80AB-415C-96DA-0097E0BCB36F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.9.1\",\"versionEndExcluding\":\"5.10.237\",\"matchCriteriaId\":\"6CC99F84-24B3-4B7B-AB04-D917F7E74F8D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.181\",\"matchCriteriaId\":\"12331C9E-F601-4EFC-899E-369F98DCC70B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.135\",\"matchCriteriaId\":\"5B9ACE29-7445-4B6F-B761-6367C005E275\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.88\",\"matchCriteriaId\":\"6E5947E5-45E3-462A-829B-382B3B1C61BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.24\",\"matchCriteriaId\":\"1D35A8A8-F3EC-45E6-AD37-1F154B27529D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.12\",\"matchCriteriaId\":\"4A475784-BF3B-4514-81EE-49C8522FB24A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.14\",\"versionEndExcluding\":\"6.14.3\",\"matchCriteriaId\":\"483E2E15-2135-4EC6-AB64-16282C5EF704\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.9:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"F79A2EB6-623E-4749-AEE0-DCB58C4C42F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.9:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"A67F6509-9592-44D5-8C65-B0791C7A501A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.9:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"A52A4ABE-5C24-4CD4-A348-E303B7F23C71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.9:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"12019CF2-FD8E-4D59-BA4C-7093DF0BB091\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.9:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"9B1AB90E-C0C6-4027-B27D-BA214BE33561\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.9:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"103FE5BA-7315-4263-9C95-EABEAD7E174F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.9:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"47E31D6A-31EC-4F63-9CAE-B7A52B58E149\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.9:rc8:*:*:*:*:*:*\",\"matchCriteriaId\":\"3497462B-A3DA-47CC-A5DD-C1C2D2E6DFDE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D465631-2980-487A-8E65-40AE2B9F8ED1\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/16d9067f00e3a7d1df7c3aa9c20d214923d27e10\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/17df39f455f1289319d4d09e4826aa46852ffd17\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2883e9e74f73f9265e5f8d1aaaa89034b308e433\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2eeb1085bf7bd5c7ba796ca4119925fa5d336a3f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/35d0aa6db9d93307085871ceab8a729594a98162\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/515c34cff899eb5dae6aa7eee01c1295b07d81af\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/94824ac9a8aaf2fb3c54b4bdde842db80ffa555d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ab0cc5c25552ae0d20eae94b40a93be11b080fc5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b96bd2c3db26ad0daec5b78c85c098b53900e2e1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.