CVE-2025-38714

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-38714
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38714.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38714
Downstream
Related
Published
2025-09-04T15:33:09.206Z
Modified
2026-05-07T04:16:52.207060Z
Summary
hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()
Details

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: fix slab-out-of-bounds in hfsplusbnoderead()

The hfsplusbnoderead() method can trigger the issue:

[ 174.852007][ T9784] ================================================================== [ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplusbnoderead+0x2f4/0x360 [ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784 [ 174.854059][ T9784] [ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full) [ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 174.854286][ T9784] Call Trace: [ 174.854289][ T9784] <TASK> [ 174.854292][ T9784] dumpstacklvl+0x10e/0x1f0 [ 174.854305][ T9784] print_report+0xd0/0x660 [ 174.854315][ T9784] ? __virtaddrvalid+0x81/0x610 [ 174.854323][ T9784] ? __physaddr+0xe8/0x180 [ 174.854330][ T9784] ? hfsplusbnoderead+0x2f4/0x360 [ 174.854337][ T9784] kasanreport+0xc6/0x100 [ 174.854346][ T9784] ? hfsplusbnoderead+0x2f4/0x360 [ 174.854354][ T9784] hfsplusbnoderead+0x2f4/0x360 [ 174.854362][ T9784] hfsplusbnodedump+0x2ec/0x380 [ 174.854370][ T9784] ? __pfxhfsplusbnodedump+0x10/0x10 [ 174.854377][ T9784] ? hfsplusbnodewriteu16+0x83/0xb0 [ 174.854385][ T9784] ? srcugpstart+0xd0/0x310 [ 174.854393][ T9784] ? __markinodedirty+0x29e/0xe40 [ 174.854402][ T9784] hfsplusbrecremove+0x3d2/0x4e0 [ 174.854411][ T9784] __hfsplusdeleteattr+0x290/0x3a0 [ 174.854419][ T9784] ? __pfxhfsfind1strec_bycnid+0x10/0x10 [ 174.854427][ T9784] ? pfxhfsplusdeleteattr+0x10/0x10 [ 174.854436][ T9784] ? __asanmemset+0x23/0x50 [ 174.854450][ T9784] hfsplusdeleteallattrs+0x262/0x320 [ 174.854459][ T9784] ? __pfxhfsplusdeleteallattrs+0x10/0x10 [ 174.854469][ T9784] ? rcuiswatching+0x12/0xc0 [ 174.854476][ T9784] ? __markinodedirty+0x29e/0xe40 [ 174.854483][ T9784] hfsplusdeletecat+0x845/0xde0 [ 174.854493][ T9784] ? __pfxhfsplusdeletecat+0x10/0x10 [ 174.854507][ T9784] hfsplusunlink+0x1ca/0x7c0 [ 174.854516][ T9784] ? __pfxhfsplusunlink+0x10/0x10 [ 174.854525][ T9784] ? down_write+0x148/0x200 [ 174.854532][ T9784] ? __pfxdownwrite+0x10/0x10 [ 174.854540][ T9784] vfsunlink+0x2fe/0x9b0 [ 174.854549][ T9784] dounlinkat+0x490/0x670 [ 174.854557][ T9784] ? __pfxdounlinkat+0x10/0x10 [ 174.854565][ T9784] ? __mightfault+0xbc/0x130 [ 174.854576][ T9784] ? getnameflags.part.0+0x1c5/0x550 [ 174.854584][ T9784] __x64sysunlink+0xc5/0x110 [ 174.854592][ T9784] dosyscall64+0xc9/0x480 [ 174.854600][ T9784] entrySYSCALL64afterhwframe+0x77/0x7f [ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167 [ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08 [ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIGRAX: 0000000000000057 [ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167 [ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50 [ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40 [ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0 [ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 174.854658][ T9784] </TASK> [ 174.854661][ T9784] [ 174.879281][ T9784] Allocated by task 9784: [ 174.879664][ T9784] kasansavestack+0x20/0x40 [ 174.880082][ T9784] kasansave_track+0x14/0x30 [ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0 [ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550 [ 174.881337][ T9784] _hfsbnodecreate+0x107/0x890 [ 174.881779][ T9784] hfsplusbnodefind+0x2d0/0xd10 [ 174.882222][ T9784] hfsplusbrecfind+0x2b0/0x520 [ 174.882659][ T9784] hfsplusdeleteallattrs+0x23b/0x3 ---truncated---

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38714.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
032f7ed6717a4cd3714f9801be39fdfc7f1c7644
Fixed
ffee8a7bed0fbfe29da239a922b59c5db897c613
Fixed
5ab59229bef6063edf3a6fc2e3e3fd7cd2181b29
Fixed
a2abd574d2fe22b8464cf6df5abb6f24d809eac0
Fixed
8583d067ae22b7f32ce5277ca5543ac8bf86a3e5
Fixed
475d770c19929082aab43337e6c077d0e2043df3
Fixed
291b7f2538920aa229500dbdd6c5f0927a51bc8b
Fixed
7fa4cef8ea13b37811287ef60674c5fd1dd02ee6
Fixed
c80aa2aaaa5e69d5219c6af8ef7e754114bd08d2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38714.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.12
Fixed
5.4.297
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.241
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.190
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.149
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.103
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.43
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.11
Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.16.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38714.json"