CVE-2025-22036

Advisory lineage Upstream: 0 Downstream: 28

Downstream

DEBIAN-CVE-2025-22036 LSN-0117-1 LSN-0118-1 RHSA-2025:10854 SUSE-SU-2025:01614-1 SUSE-SU-2025:01707-1

Modified

Published: 16 Apr 2025, 14:11

Last modified:11 May 2026, 21:11

Vulnerability Summary

Overall Risk (default)

medium

28/100

CVSS Score

7 HIGH

v3.1 (cve.org)

EPSS Score

0.05% LOW

0% probability +0.03%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

16 Apr 2025, 14:11

Published

Vulnerability first disclosed

11 May 2026, 21:11

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: exfat: fix random stack corruption after get_block When get_block is called with a buffer_head allocated on the stack, such as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in the following race condition situation. <CPU 0> <CPU 1> mpage_read_folio <<bh on stack>> do_mpage_readpage exfat_get_block bh_read __bh_read get_bh(bh) submit_bh wait_on_buffer ... end_buffer_read_sync __end_buffer_read_notouch unlock_buffer <<keep going>> ... ... ... ... <<bh is not valid out of mpage_read_folio>> . . another_function <<variable A on stack>> put_bh(bh) atomic_dec(bh->b_count) * stack corruption here * This patch returns -EAGAIN if a folio does not have buffers when bh_read needs to be called. By doing this, the caller can fallback to functions like block_read_full_folio(), create a buffer_head in the folio, and then call get_block again. Let's do not call bh_read() with on-stack buffer_head.

CVSS Metrics

v3.1•HIGH•Score: 7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.05%• Percentile: 17%

Techniques & Countermeasures

CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-416•Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Affected Systems

linux•linux
≥ 11a347fb6cef62ce47e84b97c45f2b2497c7593b, < 49b0a6ab8e528a0c1c50e37cef9b9c7c121365f2 | ≥ 11a347fb6cef62ce47e84b97c45f2b2497c7593b, < f7447286363dc1e410bf30b87d75168f3519f9cc | ≥ 11a347fb6cef62ce47e84b97c45f2b2497c7593b, < f807a6bf2005740fa26b4f59c4a003dc966b9afd | ≥ 11a347fb6cef62ce47e84b97c45f2b2497c7593b, < 1bb7ff4204b6d4927e982cd256286c09ed4fd8ca | 6.8
linux•linux_kernel
≥ 6.8, < 6.12.23 | ≥ 6.13, < 6.13.11 | ≥ 6.14, < 6.14.2