{ "threat_severity" : "Moderate", "public_date" : "2025-05-01T00:00:00Z", "bugzilla" : { "description" : "kernel: ext4: fix off-by-one error in do_split", "id" : "2363268", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2363268" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next4: fix off-by-one error in do_split\nSyzkaller detected a use-after-free issue in ext4_insert_dentry that was\ncaused by out-of-bounds access due to incorrect splitting in do_split.\nBUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\nWrite of size 251 at addr ffff888074572f14 by task syz-executor335/5847\nCPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\nCall Trace:\n\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:377 [inline]\nprint_report+0x169/0x550 mm/kasan/report.c:488\nkasan_report+0x143/0x180 mm/kasan/report.c:601\nkasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\next4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\nadd_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154\nmake_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351\next4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455\next4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796\next4_symlink+0x920/0xb50 fs/ext4/namei.c:3431\nvfs_symlink+0x137/0x2e0 fs/namei.c:4615\ndo_symlinkat+0x222/0x3a0 fs/namei.c:4641\n__do_sys_symlink fs/namei.c:4662 [inline]\n__se_sys_symlink fs/namei.c:4660 [inline]\n__x64_sys_symlink+0x7a/0x90 fs/namei.c:4660\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe following loop is located right above 'if' statement.\nfor (i = count-1; i >= 0; i--) {\n/* is more than half of this entry in 2nd half of the block? */\nif (size + map[i].size/2 > blocksize/2)\nbreak;\nsize += map[i].size;\nmove++;\n}\n'i' in this case could go down to -1, in which case sum of active entries\nwouldn't exceed half the block size, but previous behaviour would also do\nsplit in half if sum would exceed at the very last block, which in case of\nhaving too many long name files in a single block could lead to\nout-of-bounds access and following use-after-free.\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-06-23T00:00:00Z", "advisory" : "RHSA-2025:9348", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "kernel-0:6.12.0-55.18.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14746", "cpe" : "cpe:/a:redhat:rhel_extras_rt_els:7", "package" : "kernel-rt-0:3.10.0-1160.137.1.rt56.1289.el7" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14748", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "kernel-0:3.10.0-1160.137.1.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-16T00:00:00Z", "advisory" : "RHSA-2025:11299", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.62.1.rt7.403.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-16T00:00:00Z", "advisory" : "RHSA-2025:11298", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.62.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13805", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.168.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13805", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.168.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13776", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.157.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13776", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.157.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13776", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.157.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-08-05T00:00:00Z", "advisory" : "RHSA-2025:13061", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.104.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-08-05T00:00:00Z", "advisory" : "RHSA-2025:13061", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.104.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-06-23T00:00:00Z", "advisory" : "RHSA-2025:9302", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.23.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-06-23T00:00:00Z", "advisory" : "RHSA-2025:9302", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.23.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-08-04T00:00:00Z", "advisory" : "RHSA-2025:12526", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.140.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-08-04T00:00:00Z", "advisory" : "RHSA-2025:12525", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.140.1.rt21.212.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-07-23T00:00:00Z", "advisory" : "RHSA-2025:11571", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.126.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-07-23T00:00:00Z", "advisory" : "RHSA-2025:11572", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.126.1.rt14.411.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-07-15T00:00:00Z", "advisory" : "RHSA-2025:11245", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.77.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-23150\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23150\nhttps://lore.kernel.org/linux-cve-announce/2025050127-CVE-2025-23150-15b8@gregkh/T" ], "name" : "CVE-2025-23150", "csaw" : false }