CVE-2025-40082

Advisory lineage Upstream: 0 Downstream: 28

Downstream

DEBIAN-CVE-2025-40082 DLA-4499-1 DSA-6141-1 DSA-6163-1 OPENSUSE-SU-2025:15702-1 OPENSUSE-SU-2026:10301-1

Analyzed

Published: 28 Oct 2025, 11:48

Last modified:23 May 2026, 16:01

Vulnerability Summary

Overall Risk (default)

medium

28/100

CVSS Score

7.1 HIGH

v3.1 (nvd)

EPSS Score

<0.01% LOW

0% probability -0.02%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

28 Oct 2025, 11:48

Published

Vulnerability first disclosed

23 May 2026, 16:01

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290 CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x5f0 mm/kasan/report.c:482 kasan_report+0xca/0x100 mm/kasan/report.c:595 hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738 vfs_listxattr+0xbe/0x140 fs/xattr.c:493 listxattr+0xee/0x190 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x143/0x360 fs/xattr.c:988 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe0e9fae16d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3 RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000 RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000 </TASK> Allocated by task 14290: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4333 [inline] __kmalloc_noprof+0x219/0x540 mm/slub.c:4345 kmalloc_noprof include/linux/slab.h:909 [inline] hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21 hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697 vfs_listxattr+0xbe/0x140 fs/xattr.c:493 listxattr+0xee/0x190 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x143/0x360 fs/xattr.c:988 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f When hfsplus_uni2asc is called from hfsplus_listxattr, it actually passes in a struct hfsplus_attr_unistr*. The size of the corresponding structure is different from that of hfsplus_unistr, so the previous fix (94458781aee6) is insufficient. The pointer on the unicode buffer is still going beyond the allocated memory. This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and hfsplus_uni2asc_str to process two unicode buffers, struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively. When ustrlen value is bigger than the allocated memory size, the ustrlen value is limited to an safe size.

CVSS Metrics

v3.1•HIGH•Score: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Trends

Current EPSS score: 0.01%• Percentile: 1%

Techniques & Countermeasures

CWE-125•Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.

Affected Systems

linux•linux
ccf0ad56a779e6704c0b27f555dec847f50c7557 | 13604b1d7e7b125fb428cddbec6b8d92baad25d5 | 291bb5d931c6f3cd7227b913302a17be21cf53b0 | f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee | ≥ ccf0ad56a779e6704c0b27f555dec847f50c7557, < 343fe375a8dd6ee51a193a1c233b999f5ea4d479 | ≥ 13604b1d7e7b125fb428cddbec6b8d92baad25d5, < 782acde47e127c98a113726e2ff8024bd65c0454 | ≥ 291bb5d931c6f3cd7227b913302a17be21cf53b0, < c3db89ea1ed3d540eebe8f3c36e806fb75ee4a1e | ≥ f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee, < 5b5228964619b180f366940505b77255b1a03929 | ≥ 94458781aee6045bd3d0ad4b80b02886b9e2219b, < 857aefc70d4ae3b9bf1ae67434d27d0f79f80c9e | ≥ 94458781aee6045bd3d0ad4b80b02886b9e2219b, < bea3e1d4467bcf292c8e54f080353d556d355e26 | 73f7da507d787b489761a0fa280716f84fa32b2f | 76a4c6636a69d69409aa253b049b1be717a539c5 | 6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9 | 1ca69007e52a73bd8b84b988b61b319816ca8b01 | ≥ 5.15.190, < 5.15.200 | ≥ 6.1.149, < 6.1.163 | ≥ 6.6.103, < 6.6.124 | ≥ 6.12.43, < 6.12.70 | ≥ 5.4.297, < 5.5 | ≥ 5.10.241, < 5.11 | ≥ 6.15.11, < 6.16 | ≥ 6.16.2, < 6.17 | 6.17
linux•linux_kernel
≥ 5.4.297, < 5.5 | ≥ 5.10.241, < 5.11 | ≥ 5.15.190, < 5.15.200 | ≥ 6.1.149, < 6.1.163 | ≥ 6.6.103, < 6.6.124 | ≥ 6.12.43, < 6.12.70 | ≥ 6.15.11, < 6.16 | ≥ 6.16.2, < 6.17.3