AZL-70097

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-70097.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-70097

Upstream

CVE-2025-40205

Published

2025-11-12T22:15:47Z

Modified

2026-04-01T05:21:54.022369Z

Summary

CVE-2025-40205 affecting package kernel for versions less than 6.6.117.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: avoid potential out-of-bounds in btrfsencodefh()

The function btrfsencodefh() does not properly account for the three cases it handles.

Before writing to the file handle (fh), the function only returns to the user BTRFSFIDSIZENONCONNECTABLE (5 dwords, 20 bytes) or BTRFSFIDSIZE_CONNECTABLE (8 dwords, 32 bytes).

However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFSFIDSIZECONNECTABLEROOT (10 dwords, 40 bytes).

If *maxlen is not large enough, this write goes out of bounds because BTRFSFIDSIZECONNECTABLEROOT is greater than BTRFSFIDSIZECONNECTABLE originally returned.

This results in an 8-byte out-of-bounds write at fid->parentrootobjectid = parentrootid.

A previous attempt to fix this issue was made but was lost.

https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/

Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-40205

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.117.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-70097.json"