CVE-2025-38715
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: hfs: fix slab-out-of-bounds in hfs_bnode_read() This patch introduces is_bnode_offset_valid() method that checks the requested offset value. Also, it introduces check_and_correct_requested_length() method that checks and correct the requested length (if it is necessary). These methods are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(), hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent the access out of allocated memory and triggering the crash.
Analysis
A slab-out-of-bounds vulnerability exists in the Linux kernel's HFS filesystem implementation in the hfs_bnode_read() function, allowing local attackers with low privileges to trigger out-of-bounds memory access. The vulnerability can result in information disclosure (high confidentiality impact) and denial of service through system crashes (high availability impact). With an EPSS score of only 0.01% (3rd percentile), active exploitation appears unlikely despite patches being available from the vendor.
Technical Context
This vulnerability (CWE-125: Out-of-bounds Read) affects the HFS (Hierarchical File System) implementation in the Linux kernel, specifically in block node manipulation functions. The affected code spans multiple kernel versions from as early as 2.6.12-rc2 through current stable branches, as indicated by CPE entries targeting o:linux:linux_kernel across various version ranges. The root cause is insufficient validation of offset values and requested lengths when reading, writing, clearing, copying, or moving block nodes in HFS filesystems. The patch introduces two validation methods: is_bnode_offset_valid() to check offset boundaries and check_and_correct_requested_length() to validate and adjust request sizes, preventing access beyond allocated memory regions. This type of buffer over-read vulnerability can expose kernel memory contents or trigger crashes when malformed HFS filesystems are mounted or manipulated.
Affected Products
The Linux kernel is affected across a wide range of versions, from historical releases such as 2.6.12-rc2 through current stable kernel branches. Based on CPE data (cpe:2.3:o:linux:linux_kernel), the vulnerability impacts the HFS filesystem driver present in virtually all Linux kernel versions that include HFS support. Multiple stable kernel branches have received patches, as evidenced by commit references to git.kernel.org/stable spanning different kernel version trees. Debian Linux distributions are specifically mentioned in security advisories available at lists.debian.org/debian-lts-announce dated October 2025, indicating Debian LTS releases are among the confirmed affected products. Organizations running any Linux distribution with kernel versions that include HFS filesystem support should verify their specific kernel version against vendor security bulletins.
Remediation
Update the Linux kernel to a patched version incorporating the fixes available through the upstream stable kernel repositories. Patches are available across multiple kernel stable branches as documented in commits at https://git.kernel.org/stable/c/384a66b89f9540a9a8cb0f48807697dfabaece4c, https://git.kernel.org/stable/c/67ecc81f6492275c9c54280532f558483c99c90e, and related commit references listed in the CVE. Debian users should consult the security advisories at https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html and https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html for distribution-specific updates. As a temporary workaround until patching is possible, disable or blacklist the HFS kernel module if HFS filesystem support is not required in your environment (using modprobe blacklist for hfs and hfsplus modules), and restrict the ability of unprivileged users to mount filesystems through appropriate filesystem mounting policies and user namespace restrictions.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today