Wind River Support Network

HomeDefectsLIN1024-13010
Acknowledged

LIN1024-13010 : Security Advisory - linux - CVE-2025-40044

Created: Oct 29, 2025    Updated: Oct 30, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]fs: udf: fix OOB read in lengthAllocDescs handling[EOL][EOL]When parsing Allocation Extent Descriptor, lengthAllocDescs comes from[EOL]on-disk data and must be validated against the block size. Crafted or[EOL]corrupted images may set lengthAllocDescs so that the total descriptor[EOL]length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,[EOL]leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and[EOL]trigger a KASAN use-after-free read.[EOL][EOL]BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60[EOL]Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309[EOL][EOL]CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0[EOL]Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014[EOL]Call Trace:[EOL] <TASK>[EOL] __dump_stack lib/dump_stack.c:94 [inline][EOL] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120[EOL] print_address_description mm/kasan/report.c:377 [inline][EOL] print_report+0x169/0x550 mm/kasan/report.c:488[EOL] kasan_report+0x143/0x180 mm/kasan/report.c:601[EOL] crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60[EOL] udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261[EOL] udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179[EOL] extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46[EOL] udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106[EOL] udf_release_file+0xc1/0x120 fs/udf/file.c:185[EOL] __fput+0x23f/0x880 fs/file_table.c:431[EOL] task_work_run+0x24f/0x310 kernel/task_work.c:239[EOL] exit_task_work include/linux/task_work.h:43 [inline][EOL] do_exit+0xa2f/0x28e0 kernel/exit.c:939[EOL] do_group_exit+0x207/0x2c0 kernel/exit.c:1088[EOL] __do_sys_exit_group kernel/exit.c:1099 [inline][EOL] __se_sys_exit_group kernel/exit.c:1097 [inline][EOL] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097[EOL] x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232[EOL] do_syscall_x64 arch/x86/entry/common.c:52 [inline][EOL] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL] </TASK>[EOL][EOL]Validate the computed total length against epos->bh->b_size.[EOL][EOL]Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube