CVE-2025-40044

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-40044
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40044.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-40044
Downstream
Related
Published
2025-10-28T11:48:22.827Z
Modified
2026-03-12T03:54:32.287788Z
Summary
fs: udf: fix OOB read in lengthAllocDescs handling
Details

In the Linux kernel, the following vulnerability has been resolved:

fs: udf: fix OOB read in lengthAllocDescs handling

When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udfupdatetag() to call crcitut() on out-of-bounds memory and trigger a KASAN use-after-free read.

BUG: KASAN: use-after-free in crcitut+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309

CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dump_stacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x169/0x550 mm/kasan/report.c:488 kasanreport+0x143/0x180 mm/kasan/report.c:601 crcitut+0x1d5/0x2b0 lib/crc-itu-t.c:60 udfupdatetag+0x70/0x6a0 fs/udf/misc.c:261 udfwriteaext+0x4d8/0x7b0 fs/udf/inode.c:2179 extenttrunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udftruncatetailextent+0x527/0x7e0 fs/udf/truncate.c:106 udfreleasefile+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/filetable.c:431 taskworkrun+0x24f/0x310 kernel/taskwork.c:239 exittaskwork include/linux/taskwork.h:43 [inline] doexit+0xa2f/0x28e0 kernel/exit.c:939 dogroupexit+0x207/0x2c0 kernel/exit.c:1088 __dosysexit_group kernel/exit.c:1099 [inline] __sesysexit_group kernel/exit.c:1097 [inline] __x64sysexitgroup+0x3f/0x40 kernel/exit.c:1097 x64syscall+0x2634/0x2640 arch/x86/include/generated/asm/syscalls64.h:232 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f </TASK>

Validate the computed total length against epos->bh->b_size.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40044.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
14496175b264d30c2045584ee31d062af2e3a660
Fixed
d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818
Fixed
1d1847812a1a5375c10a2a779338df643f79c047
Fixed
918649364fbca7d5df72522ca795479edcd25f91
Fixed
a70dcfa8d0a0cc530a6af59483dfca260b652c1b
Fixed
b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24
Fixed
459404f858213967ccfff336c41747d8dd186d38
Fixed
3bd5e45c2ce30e239d596becd5db720f7eb83c99

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40044.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.12
Fixed
5.4.301
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.246
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.195
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.156
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.112
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.53
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.17.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40044.json"