CVE-2025-40044

UNKNOWN 0.0

fs: udf: fix OOB read in lengthAllocDescs handling

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

In the Linux kernel, the following vulnerability has been resolved: fs: udf: fix OOB read in lengthAllocDescs handling When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Oct 28, 2025
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new unknown vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Linux / Linux

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 14496175b264d30c2045584ee31d062af2e3a660 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1d1847812a1a5375c10a2a779338df643f79c047 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 918649364fbca7d5df72522ca795479edcd25f91 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < a70dcfa8d0a0cc530a6af59483dfca260b652c1b 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 459404f858213967ccfff336c41747d8dd186d38 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3bd5e45c2ce30e239d596becd5db720f7eb83c99

Linux / Linux

2.6.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗