AZL-68843

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-68843.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-68843

Upstream

CVE-2025-40044

Published

2025-10-28T12:15:38Z

Modified

2026-04-01T05:21:29.595335Z

Summary

CVE-2025-40044 affecting package kernel for versions less than 6.6.112.1-2

Details

In the Linux kernel, the following vulnerability has been resolved:

fs: udf: fix OOB read in lengthAllocDescs handling

When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udfupdatetag() to call crcitut() on out-of-bounds memory and trigger a KASAN use-after-free read.

BUG: KASAN: use-after-free in crcitut+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309

CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dump_stacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x169/0x550 mm/kasan/report.c:488 kasanreport+0x143/0x180 mm/kasan/report.c:601 crcitut+0x1d5/0x2b0 lib/crc-itu-t.c:60 udfupdatetag+0x70/0x6a0 fs/udf/misc.c:261 udfwriteaext+0x4d8/0x7b0 fs/udf/inode.c:2179 extenttrunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udftruncatetailextent+0x527/0x7e0 fs/udf/truncate.c:106 udfreleasefile+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/filetable.c:431 taskworkrun+0x24f/0x310 kernel/taskwork.c:239 exittaskwork include/linux/taskwork.h:43 [inline] doexit+0xa2f/0x28e0 kernel/exit.c:939 dogroupexit+0x207/0x2c0 kernel/exit.c:1088 __dosysexit_group kernel/exit.c:1099 [inline] __sesysexit_group kernel/exit.c:1097 [inline] __x64sysexitgroup+0x3f/0x40 kernel/exit.c:1097 x64syscall+0x2634/0x2640 arch/x86/include/generated/asm/syscalls64.h:232 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f </TASK>

Validate the computed total length against epos->bh->b_size.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-40044

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.112.1-2

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-68843.json"