CVE-2025-39735

HIGH EPSS 11.9%
Published Apr 18, 20251y ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Apr 18, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds read in ea_get() During the "size_check" label in ea_get(), the code checks if the extended attribute list (xattr) size matches ea_size. If not, it logs "ea_get: invalid extended attribute" and calls print_hex_dump(). Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds INT_MAX (2,147,483,647). Then ea_size is clamped: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper limit is treated as an int, causing an overflow above 2^31 - 1. This leads "size" to wrap around and become negative (-184549328). The "size" is then passed to print_hex_dump() (called "len" in print_hex_dump()), it is passed as type size_t (an unsigned type), this is then stored inside a variable called "int remaining", which is then assigned to "int linelen" which is then passed to hex_dump_to_buffer(). In print_hex_dump() the for loop, iterates through 0 to len-1, where len is 18446744073525002176, calling hex_dump_to_buffer() on each iteration: for (i = 0; i < len; i += rowsize) { linelen = min(remaining, rowsize); remaining -= rowsize; hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii); ... } The expected stopping condition (i < len) is effectively broken since len is corrupted and very large. This eventually leads to the "ptr+i" being passed to hex_dump_to_buffer() to get closer to the end of the actual bounds of "ptr", eventually an out of bounds access is done in hex_dump_to_buffer() in the following for loop: for (j = 0; j < len; j++) { if (linebuflen < lx + 2) goto overflow2; ch = ptr[j]; ... } To fix this we should validate "EALIST_SIZE(ea_buf->xattr)" before it is utilised.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
11.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel*≥4.19.325  –  <4.20
linuxlinux_kernel*≥5.4.287  –  <5.4.292
linuxlinux_kernel*≥5.10.231  –  <5.10.236
linuxlinux_kernel*≥5.15.174  –  <5.15.180
linuxlinux_kernel*≥6.1.120  –  <6.1.134
linuxlinux_kernel*≥6.6.64  –  <6.6.87
linuxlinux_kernel*≥6.11.11  –  <6.12
linuxlinux_kernel*≥6.12.2  –  <6.12.23
linuxlinux_kernel*≥6.13  –  <6.13.11
linuxlinux_kernel*≥6.14  –  <6.14.2

References 11

  • git.kernel.org https://git.kernel.org/stable/c/0beddc2a3f9b9cf7d8887973041e36c2d0fa3652
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/16d3d36436492aa248b2d8045e75585ebcc2f34d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3d6fd5b9c6acbc005e53d0211c7381f566babec1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/46e2c031aa59ea65128991cbca474bd5c0c2ecdb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/50afcee7011155933d8d5e8832f52eeee018cfd3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5263822558a8a7c0d0248d5679c2dcf4d5cda61f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78c9cbde8880ec02d864c166bcb4fe989ce1d95f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a8c31808925b11393a6601f534bb63bac5366bab
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fdf480da5837c23b146c4743c18de97202fcab37
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0beddc2a3f9b9cf7d8887973041e36c2d0fa3652
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/16d3d36436492aa248b2d8045e75585ebcc2f34d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3d6fd5b9c6acbc005e53d0211c7381f566babec1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/46e2c031aa59ea65128991cbca474bd5c0c2ecdb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/50afcee7011155933d8d5e8832f52eeee018cfd3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5263822558a8a7c0d0248d5679c2dcf4d5cda61f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78c9cbde8880ec02d864c166bcb4fe989ce1d95f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a8c31808925b11393a6601f534bb63bac5366bab
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fdf480da5837c23b146c4743c18de97202fcab37
    Patch