{ "threat_severity" : "Moderate", "public_date" : "2025-05-01T00:00:00Z", "bugzilla" : { "description" : "kernel: ext4: ignore xattrs past end", "id" : "2363305", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2363305" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next4: ignore xattrs past end\nOnce inside 'ext4_xattr_inode_dec_ref_all' we should\nignore xattrs entries past the 'end' entry.\nThis fixes the following KASAN reported issue:\n==================================================================\nBUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\nRead of size 4 at addr ffff888012c120c4 by task repro/2065\nCPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n\ndump_stack_lvl+0x1fd/0x300\n? tcp_gro_dev_warn+0x260/0x260\n? _printk+0xc0/0x100\n? read_lock_is_recursive+0x10/0x10\n? irq_work_queue+0x72/0xf0\n? __virt_addr_valid+0x17b/0x4b0\nprint_address_description+0x78/0x390\nprint_report+0x107/0x1f0\n? __virt_addr_valid+0x17b/0x4b0\n? __virt_addr_valid+0x3ff/0x4b0\n? __phys_addr+0xb5/0x160\n? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\nkasan_report+0xcc/0x100\n? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\next4_xattr_inode_dec_ref_all+0xb8c/0xe90\n? ext4_xattr_delete_inode+0xd30/0xd30\n? __ext4_journal_ensure_credits+0x5f0/0x5f0\n? __ext4_journal_ensure_credits+0x2b/0x5f0\n? inode_update_timestamps+0x410/0x410\next4_xattr_delete_inode+0xb64/0xd30\n? ext4_truncate+0xb70/0xdc0\n? ext4_expand_extra_isize_ea+0x1d20/0x1d20\n? __ext4_mark_inode_dirty+0x670/0x670\n? ext4_journal_check_start+0x16f/0x240\n? ext4_inode_is_fast_symlink+0x2f2/0x3a0\next4_evict_inode+0xc8c/0xff0\n? ext4_inode_is_fast_symlink+0x3a0/0x3a0\n? do_raw_spin_unlock+0x53/0x8a0\n? ext4_inode_is_fast_symlink+0x3a0/0x3a0\nevict+0x4ac/0x950\n? proc_nr_inodes+0x310/0x310\n? trace_ext4_drop_inode+0xa2/0x220\n? _raw_spin_unlock+0x1a/0x30\n? iput+0x4cb/0x7e0\ndo_unlinkat+0x495/0x7c0\n? try_break_deleg+0x120/0x120\n? 0xffffffff81000000\n? __check_object_size+0x15a/0x210\n? strncpy_from_user+0x13e/0x250\n? getname_flags+0x1dc/0x530\n__x64_sys_unlinkat+0xc8/0xf0\ndo_syscall_64+0x65/0x110\nentry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x434ffd\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8\nRSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107\nRAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd\nRDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005\nRBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001\n\nThe buggy address belongs to the object at ffff888012c12000\nwhich belongs to the cache filp of size 360\nThe buggy address is located 196 bytes inside of\nfreed 360-byte region [ffff888012c12000, ffff888012c12168)\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12\nhead: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nflags: 0x40(head|node=0|zone=0)\npage_type: f5(slab)\nraw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004\nraw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000\nhead: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004\nhead: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000\nhead: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000\nhead: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n> ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n^\nffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc\nffff888012c12180: fc fc fc fc fc fc fc fc fc\n---truncated---", "A use-after-free vulnerability has been discovered in the Linux kernel, specifically within the ext4_xattr_inode_dec_ref_all function (related to the ext4 filesystem's extended attributes). An attacker could exploit this flaw by providing a specially crafted payload, leading to a denial of service condition that compromises system availability." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-06-23T00:00:00Z", "advisory" : "RHSA-2025:9348", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "kernel-0:6.12.0-55.18.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-16T00:00:00Z", "advisory" : "RHSA-2025:11299", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.62.1.rt7.403.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-16T00:00:00Z", "advisory" : "RHSA-2025:11298", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.62.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-08-04T00:00:00Z", "advisory" : "RHSA-2025:12623", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.162.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-07-30T00:00:00Z", "advisory" : "RHSA-2025:12238", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.165.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-07-30T00:00:00Z", "advisory" : "RHSA-2025:12238", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.165.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-08-06T00:00:00Z", "advisory" : "RHSA-2025:13099", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.155.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-08-06T00:00:00Z", "advisory" : "RHSA-2025:13099", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.155.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-08-06T00:00:00Z", "advisory" : "RHSA-2025:13099", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.155.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-08-05T00:00:00Z", "advisory" : "RHSA-2025:13061", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.104.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-08-05T00:00:00Z", "advisory" : "RHSA-2025:13061", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.104.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-06-23T00:00:00Z", "advisory" : "RHSA-2025:9302", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.23.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-06-23T00:00:00Z", "advisory" : "RHSA-2025:9302", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.23.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10830", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.138.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10829", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.138.1.rt21.210.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10671", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.124.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10675", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.124.1.rt14.409.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-07-15T00:00:00Z", "advisory" : "RHSA-2025:11245", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.77.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-37738\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-37738\nhttps://lore.kernel.org/linux-cve-announce/2025050132-CVE-2025-37738-deb1@gregkh/T" ], "name" : "CVE-2025-37738", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }