CVE-2025-37780

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-37780
In the Linux kernel, the following vulnerability has been resolved: isofs: Prevent the use of too small fid syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1] The handle_bytes value passed in by the reproducing program is equal to 12. In handle_to_path(), only 12 bytes of memory are allocated for the structure file_handle->f_handle member, which causes an out-of-bounds access when accessing the member parent_block of the structure isofs_fid in isofs, because accessing parent_block requires at least 16 bytes of f_handle. Here, fh_len is used to indirectly confirm that the value of handle_bytes is greater than 3 before accessing parent_block. [1] BUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466 CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0x198/0x550 mm/kasan/report.c:521 kasan_report+0xd8/0x138 mm/kasan/report.c:634 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380 isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523 do_handle_to_path+0xa0/0x198 fs/fhandle.c:257 handle_to_path fs/fhandle.c:385 [inline] do_handle_open+0x8cc/0xb8c fs/fhandle.c:403 __do_sys_open_by_handle_at fs/fhandle.c:443 [inline] __se_sys_open_by_handle_at fs/fhandle.c:434 [inline] __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 6466: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4294 [inline] __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306 kmalloc_noprof include/linux/slab.h:905 [inline] handle_to_path fs/fhandle.c:357 [inline] do_handle_open+0x5a4/0xb8c fs/fhandle.c:403 __do_sys_open_by_handle_at fs/fhandle.c:443 [inline] __se_sys_open_by_handle_at fs/fhandle.c:434 [inline] __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

7.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/007124c896e7d4614ac1f6bd4dedb975c35a2a8e Patch
https://git.kernel.org/stable/c/0405d4b63d082861f4eaff9d39c78ee9dc34f845 Patch
https://git.kernel.org/stable/c/0fdafdaef796816a9ed0fd7ac812932d569d9beb Patch
https://git.kernel.org/stable/c/56dfffea9fd3be0b3795a9ca6401e133a8427e0b Patch
https://git.kernel.org/stable/c/5e7de55602c61c8ff28db075cc49c8dd6989d7e0 Patch
https://git.kernel.org/stable/c/63d5a3e207bf315a32c7d16de6c89753a759f95a Patch
https://git.kernel.org/stable/c/952e7a7e317f126d0a2b879fc531b716932d5ffa Patch
https://git.kernel.org/stable/c/ee01a309ebf598be1ff8174901ed6e91619f1749 Patch
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
History

06 Nov 2025, 19:11

Type Values Removed Values Added
CWE CWE-125
First Time Linux
Debian
Debian debian Linux
Linux linux Kernel
References () https://git.kernel.org/stable/c/007124c896e7d4614ac1f6bd4dedb975c35a2a8e - () https://git.kernel.org/stable/c/007124c896e7d4614ac1f6bd4dedb975c35a2a8e - Patch
References () https://git.kernel.org/stable/c/0405d4b63d082861f4eaff9d39c78ee9dc34f845 - () https://git.kernel.org/stable/c/0405d4b63d082861f4eaff9d39c78ee9dc34f845 - Patch
References () https://git.kernel.org/stable/c/0fdafdaef796816a9ed0fd7ac812932d569d9beb - () https://git.kernel.org/stable/c/0fdafdaef796816a9ed0fd7ac812932d569d9beb - Patch
References () https://git.kernel.org/stable/c/56dfffea9fd3be0b3795a9ca6401e133a8427e0b - () https://git.kernel.org/stable/c/56dfffea9fd3be0b3795a9ca6401e133a8427e0b - Patch
References () https://git.kernel.org/stable/c/5e7de55602c61c8ff28db075cc49c8dd6989d7e0 - () https://git.kernel.org/stable/c/5e7de55602c61c8ff28db075cc49c8dd6989d7e0 - Patch
References () https://git.kernel.org/stable/c/63d5a3e207bf315a32c7d16de6c89753a759f95a - () https://git.kernel.org/stable/c/63d5a3e207bf315a32c7d16de6c89753a759f95a - Patch
References () https://git.kernel.org/stable/c/952e7a7e317f126d0a2b879fc531b716932d5ffa - () https://git.kernel.org/stable/c/952e7a7e317f126d0a2b879fc531b716932d5ffa - Patch
References () https://git.kernel.org/stable/c/ee01a309ebf598be1ff8174901ed6e91619f1749 - () https://git.kernel.org/stable/c/ee01a309ebf598be1ff8174901ed6e91619f1749 - Patch
References () https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html - () https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html - Mailing List, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html - () https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html - Mailing List, Third Party Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.1
CPE cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*

03 Nov 2025, 20:18

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html -
  • () https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html -

02 May 2025, 13:53

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: isofs: Impedir el uso de fid demasiado pequeño. syzbot informó de una lectura fuera de los límites de slab en isofs_fh_to_parent. [1] El valor de handle_bytes pasado por el programa de reproducción es igual a 12. En handle_to_path(), solo se asignan 12 bytes de memoria para el miembro de la estructura file_handle->f_handle, lo que provoca un acceso fuera de los límites al acceder al miembro parent_block de la estructura isofs_fid en isofs, ya que acceder a parent_block requiere al menos 16 bytes de f_handle. Aquí, fh_len se utiliza para confirmar indirectamente que el valor de handle_bytes es mayor que 3 antes de acceder a parent_block. [1] ERROR: KASAN: slab fuera de los límites en isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 Lectura de tamaño 4 en la dirección ffff0000cc030d94 por la tarea syz-executor215/6466 CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 No contaminado 6.14.0-rc7-syzkaller-ga2392f333575 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0x198/0x550 mm/kasan/report.c:521 kasan_report+0xd8/0x138 mm/kasan/report.c:634 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380 isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523 do_handle_to_path+0xa0/0x198 fs/fhandle.c:257 handle_to_path fs/fhandle.c:385 [inline] do_handle_open+0x8cc/0xb8c fs/fhandle.c:403 __do_sys_open_by_handle_at fs/fhandle.c:443 [inline] __se_sys_open_by_handle_at fs/fhandle.c:434 [inline] __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 6466: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4294 [inline] __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306 kmalloc_noprof include/linux/slab.h:905 [inline] handle_to_path fs/fhandle.c:357 [inline] do_handle_open+0x5a4/0xb8c fs/fhandle.c:403 __do_sys_open_by_handle_at fs/fhandle.c:443 [inline] __se_sys_open_by_handle_at fs/fhandle.c:434 [inline] __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

02 May 2025, 07:16

Type Values Removed Values Added
References
  • () https://git.kernel.org/stable/c/5e7de55602c61c8ff28db075cc49c8dd6989d7e0 -
  • () https://git.kernel.org/stable/c/63d5a3e207bf315a32c7d16de6c89753a759f95a -
  • () https://git.kernel.org/stable/c/ee01a309ebf598be1ff8174901ed6e91619f1749 -

01 May 2025, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-01 14:15

Updated : 2025-11-06 19:11

NVD link : CVE-2025-37780

Mitre link : CVE-2025-37780

CVE.ORG link : CVE-2025-37780

JSON object : View

Products Affected

debian

  • debian_linux

linux

  • linux_kernel
CWE
CWE-125

Out-of-bounds Read