{ "threat_severity" : "Important", "public_date" : "2025-05-01T00:00:00Z", "bugzilla" : { "description" : "kernel: udf: Fix a slab-out-of-bounds write bug in udf_find_entry()", "id" : "2363432", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2363432" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nudf: Fix a slab-out-of-bounds write bug in udf_find_entry()\nSyzbot reported a slab-out-of-bounds Write bug:\nloop0: detected capacity change from 0 to 2048\n==================================================================\nBUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0\nfs/udf/namei.c:253\nWrite of size 105 at addr ffff8880123ff896 by task syz-executor323/3610\nCPU: 0 PID: 3610 Comm: syz-executor323 Not tainted\n6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS\nGoogle 10/11/2022\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\nprint_address_description+0x74/0x340 mm/kasan/report.c:284\nprint_report+0x107/0x1f0 mm/kasan/report.c:395\nkasan_report+0xcd/0x100 mm/kasan/report.c:495\nkasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189\nmemcpy+0x3c/0x60 mm/kasan/shadow.c:66\nudf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253\nudf_lookup+0xef/0x340 fs/udf/namei.c:309\nlookup_open fs/namei.c:3391 [inline]\nopen_last_lookups fs/namei.c:3481 [inline]\npath_openat+0x10e6/0x2df0 fs/namei.c:3710\ndo_filp_open+0x264/0x4f0 fs/namei.c:3740\ndo_sys_openat2+0x124/0x4e0 fs/open.c:1310\ndo_sys_open fs/open.c:1326 [inline]\n__do_sys_creat fs/open.c:1402 [inline]\n__se_sys_creat fs/open.c:1396 [inline]\n__x64_sys_creat+0x11f/0x160 fs/open.c:1396\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7ffab0d164d9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\nf0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9\nRDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180\nRBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000\nR10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nAllocated by task 3610:\nkasan_save_stack mm/kasan/common.c:45 [inline]\nkasan_set_track+0x3d/0x60 mm/kasan/common.c:52\n____kasan_kmalloc mm/kasan/common.c:371 [inline]\n__kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380\nkmalloc include/linux/slab.h:576 [inline]\nudf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243\nudf_lookup+0xef/0x340 fs/udf/namei.c:309\nlookup_open fs/namei.c:3391 [inline]\nopen_last_lookups fs/namei.c:3481 [inline]\npath_openat+0x10e6/0x2df0 fs/namei.c:3710\ndo_filp_open+0x264/0x4f0 fs/namei.c:3740\ndo_sys_openat2+0x124/0x4e0 fs/open.c:1310\ndo_sys_open fs/open.c:1326 [inline]\n__do_sys_creat fs/open.c:1402 [inline]\n__se_sys_creat fs/open.c:1396 [inline]\n__x64_sys_creat+0x11f/0x160 fs/open.c:1396\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nThe buggy address belongs to the object at ffff8880123ff800\nwhich belongs to the cache kmalloc-256 of size 256\nThe buggy address is located 150 bytes inside of\n256-byte region [ffff8880123ff800, ffff8880123ff900)\nThe buggy address belongs to the physical page:\npage:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000\nindex:0x0 pfn:0x123fe\nhead:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0\nflags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40\nraw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(),\npid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0\ncreate_dummy_stack mm/page_owner.c:\n---truncated---" ], "statement" : "A slab-out-of-bounds write was discovered in udf_find_entry() due to incorrect allocation size when handling long filenames in split name descriptors. This can be triggered by mounting a crafted UDF image and attempting to create a file with a specially constructed name. Although local privileges are required, the flaw allows kernel memory corruption, leading to potential privilege escalation or DoS.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10670", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.60.1.rt7.401.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10669", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.60.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10977", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-07-10T00:00:00Z", "advisory" : "RHSA-2025:10761", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.159.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10828", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.162.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10828", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.162.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10673", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.151.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10673", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.151.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10673", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.151.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10976", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support Long-Life Add-On", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10834", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.8", "package" : "kernel-0:4.18.0-477.101.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10834", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.101.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10834", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.101.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10974", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-07-07T00:00:00Z", "advisory" : "RHSA-2025:10379", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.25.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-07-07T00:00:00Z", "advisory" : "RHSA-2025:10379", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.25.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10981", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10830", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.138.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10829", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.138.1.rt21.210.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10978", "cpe" : "cpe:/o:redhat:rhel_e4s:9.0", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10671", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.124.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10675", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.124.1.rt14.409.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10980", "cpe" : "cpe:/o:redhat:rhel_e4s:9.2", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10701", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.76.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10979", "cpe" : "cpe:/o:redhat:rhel_eus:9.4", "package" : "kpatch-patch" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49846\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49846\nhttps://lore.kernel.org/linux-cve-announce/2025050142-CVE-2022-49846-728c@gregkh/T" ], "name" : "CVE-2022-49846", "mitigation" : { "value" : "To mitigate this issue, prevent module udf from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.", "lang" : "en:us" }, "csaw" : false }