CVE-2025-23150
Public on
Last Modified:
Moderate
Moderate Impact
What does this mean?
Description
The MITRE CVE dictionary describes this issue as
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix off-by-one error in do_split
Syzkaller detected a use-after-free issue in ext4_insert_dentry that was
caused by out-of-bounds access due to incorrect splitting in do_split.
BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847
CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
vfs_symlink+0x137/0x2e0 fs/namei.c:4615
do_symlinkat+0x222/0x3a0 fs/namei.c:4641
__do_sys_symlink fs/namei.c:4662 [inline]
__se_sys_symlink fs/namei.c:4660 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
The following loop is located right above 'if' statement.
for (i = count-1; i >= 0; i--) {
/* is more than half of this entry in 2nd half of the block? */
if (size + map[i].size/2 > blocksize/2)
break;
size += map[i].size;
move++;
}
'i' in this case could go down to -1, in which case sum of active entries
wouldn't exceed half the block size, but previous behaviour would also do
split in half if sum would exceed at the very last block, which in case of
having too many long name files in a single block could lead to
out-of-bounds access and following use-after-free.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Additional Information
- This content is not included.Bugzilla 2363268: kernel: ext4: fix off-by-one error in do_split
- Content from cwe.mitre.org is not included.CWE-416: Use After Free
- FAQ: Frequently asked questions about CVE-2025-23150
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.
External References
Content from www.cve.org is not included.https://www.cve.org/CVERecord?id=CVE-2025-23150
Content from nvd.nist.gov is not included.https://nvd.nist.gov/vuln/detail/CVE-2025-23150
Affected Packages and Issued Red Hat Security Errata
| Products / Services | Components | State | Errata |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2025:9348 |
| Red Hat Enterprise Linux 6 | kernel | Out of support scope | |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | kernel-rt | Fixed | RHSA-2025:14746 |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | kernel | Fixed | RHSA-2025:14748 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2025:11298 |
| Red Hat Enterprise Linux 8 | kernel-rt | Fixed | RHSA-2025:11299 |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | kernel | Fixed | RHSA-2025:13805 |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | kernel | Fixed | RHSA-2025:13805 |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | kernel | Fixed | RHSA-2025:13776 |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | kernel | Fixed | RHSA-2025:13776 |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | kernel | Fixed | RHSA-2025:13776 |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | kernel | Fixed | RHSA-2025:13061 |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | kernel | Fixed | RHSA-2025:13061 |
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2025:9302 |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | kernel-rt | Fixed | RHSA-2025:12525 |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | kernel | Fixed | RHSA-2025:12526 |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | kernel | Fixed | RHSA-2025:11571 |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | kernel-rt | Fixed | RHSA-2025:11572 |
| Red Hat Enterprise Linux 9.4 Extended Update Support | kernel | Fixed | RHSA-2025:11245 |
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authorities (CNA) source for its products and services (see Red Hat classifications ).
| CVSS v3 Score Breakdown | Red Hat | NVD |
|---|---|---|
| CVSS v3 Base Score | 7.1 | 5.5 |
| Attack Vector | Local | Local |
| Attack Complexity | Low | Low |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality Impact | High | None |
| Integrity Impact | None | None |
| Availability Impact | High | High |
CVSS v3 Vector
Red Hat CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
NVD CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
For more information, see https://access.redhat.com/solutions/762393.
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
- "Under investigation" doesn't necessarily mean that the product is affected by this vulnerability. It only means that our Analysis Team is still working on determining whether the product is affected and how it is affected.
- "Affected" means that our Analysis Team has determined that this product is affected by this vulnerability and might release a fix to address this in the near future.
What can I do if my product is listed as "Will not fix"?
Available options depend mostly on the Impact of the vulnerability and the current Life Cycle phase of your product. Overall, you have the following options:
- Upgrade to a supported product version that includes a fix for this vulnerability (recommended).
- Apply a mitigation (if one exists).
- Open a This content is not included.support case to request a prioritization of releasing a fix for this vulnerability.
What can I do if my product is listed as "Fix deferred"?
Available options depend mostly on the Impact of the vulnerability and the current Life Cycle phase of your product. Overall, you have the following options:
- Apply a mitigation (if one exists).
- Open a This content is not included.support case to request a prioritization of releasing a fix for this vulnerability.
- Red Hat Engineering focuses on addressing high-priority issues based on their complexity or limited lifecycle support. Therefore, lower-priority issues will not receive immediate fixes.
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
My product is listed as "Out of Support Scope". What does this mean?
Not sure what something means? Check out our Security Glossary.