{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-23150", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-01-11T14:28:41.513Z", "datePublished": "2025-05-01T12:55:38.190Z", "dateUpdated": "2025-05-26T05:19:31.900Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-26T05:19:31.900Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off-by-one error in do_split\n\nSyzkaller detected a use-after-free issue in ext4_insert_dentry that was\ncaused by out-of-bounds access due to incorrect splitting in do_split.\n\nBUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\nWrite of size 251 at addr ffff888074572f14 by task syz-executor335/5847\n\nCPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\n add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154\n make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455\n ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796\n ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431\n vfs_symlink+0x137/0x2e0 fs/namei.c:4615\n do_symlinkat+0x222/0x3a0 fs/namei.c:4641\n __do_sys_symlink fs/namei.c:4662 [inline]\n __se_sys_symlink fs/namei.c:4660 [inline]\n __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nThe following loop is located right above 'if' statement.\n\nfor (i = count-1; i >= 0; i--) {\n\t/* is more than half of this entry in 2nd half of the block? */\n\tif (size + map[i].size/2 > blocksize/2)\n\t\tbreak;\n\tsize += map[i].size;\n\tmove++;\n}\n\n'i' in this case could go down to -1, in which case sum of active entries\nwouldn't exceed half the block size, but previous behaviour would also do\nsplit in half if sum would exceed at the very last block, which in case of\nhaving too many long name files in a single block could lead to\nout-of-bounds access and following use-after-free.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ext4/namei.c"], "versions": [{"version": "ea54176e5821936d109bb45dc2c19bd53559e735", "lessThan": "b96bd2c3db26ad0daec5b78c85c098b53900e2e1", "status": "affected", "versionType": "git"}, {"version": "5872331b3d91820e14716632ebb56b1399b34fe1", "lessThan": "515c34cff899eb5dae6aa7eee01c1295b07d81af", "status": "affected", "versionType": "git"}, {"version": "5872331b3d91820e14716632ebb56b1399b34fe1", "lessThan": "2883e9e74f73f9265e5f8d1aaaa89034b308e433", "status": "affected", "versionType": "git"}, {"version": "5872331b3d91820e14716632ebb56b1399b34fe1", "lessThan": "35d0aa6db9d93307085871ceab8a729594a98162", "status": "affected", "versionType": "git"}, {"version": "5872331b3d91820e14716632ebb56b1399b34fe1", "lessThan": "2eeb1085bf7bd5c7ba796ca4119925fa5d336a3f", "status": "affected", "versionType": "git"}, {"version": "5872331b3d91820e14716632ebb56b1399b34fe1", "lessThan": "16d9067f00e3a7d1df7c3aa9c20d214923d27e10", "status": "affected", "versionType": "git"}, {"version": "5872331b3d91820e14716632ebb56b1399b34fe1", "lessThan": "17df39f455f1289319d4d09e4826aa46852ffd17", "status": "affected", "versionType": "git"}, {"version": "5872331b3d91820e14716632ebb56b1399b34fe1", "lessThan": "ab0cc5c25552ae0d20eae94b40a93be11b080fc5", "status": "affected", "versionType": "git"}, {"version": "5872331b3d91820e14716632ebb56b1399b34fe1", "lessThan": "94824ac9a8aaf2fb3c54b4bdde842db80ffa555d", "status": "affected", "versionType": "git"}, {"version": "059b1480105478c5f68cf664301545b8cad6a7cf", "status": "affected", "versionType": "git"}, {"version": "539ae3e03875dacaa9c388aff141ccbb4ef4ecb5", "status": "affected", "versionType": "git"}, {"version": "fbbfd55a40d5d0806b59ee0403c75d5ac517533f", "status": "affected", "versionType": "git"}, {"version": "b3ddf6ba5e28a57729fff1605ae08e21be5c92e3", "status": "affected", "versionType": "git"}, {"version": "e50fe43e3062e18846e99d9646b9c07b097eb1ed", "status": "affected", "versionType": "git"}, {"version": "88e79f7a9841278fa8ff7ff6178bad12da002ffc", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ext4/namei.c"], "versions": [{"version": "5.9", "status": "affected"}, {"version": "0", "lessThan": "5.9", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.293", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.237", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.181", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.135", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.88", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.24", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.12", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.3", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.61", "versionEndExcluding": "5.4.293"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "5.10.237"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "5.15.181"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.1.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.6.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.12.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.13.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.14.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.234"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.234"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.195"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.142"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b96bd2c3db26ad0daec5b78c85c098b53900e2e1"}, {"url": "https://git.kernel.org/stable/c/515c34cff899eb5dae6aa7eee01c1295b07d81af"}, {"url": "https://git.kernel.org/stable/c/2883e9e74f73f9265e5f8d1aaaa89034b308e433"}, {"url": "https://git.kernel.org/stable/c/35d0aa6db9d93307085871ceab8a729594a98162"}, {"url": "https://git.kernel.org/stable/c/2eeb1085bf7bd5c7ba796ca4119925fa5d336a3f"}, {"url": "https://git.kernel.org/stable/c/16d9067f00e3a7d1df7c3aa9c20d214923d27e10"}, {"url": "https://git.kernel.org/stable/c/17df39f455f1289319d4d09e4826aa46852ffd17"}, {"url": "https://git.kernel.org/stable/c/ab0cc5c25552ae0d20eae94b40a93be11b080fc5"}, {"url": "https://git.kernel.org/stable/c/94824ac9a8aaf2fb3c54b4bdde842db80ffa555d"}], "title": "ext4: fix off-by-one error in do_split", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off-by-one error in do_split\n\nSyzkaller detected a use-after-free issue in ext4_insert_dentry that was\ncaused by out-of-bounds access due to incorrect splitting in do_split.\n\nBUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\nWrite of size 251 at addr ffff888074572f14 by task syz-executor335/5847\n\nCPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\n add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154\n make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455\n ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796\n ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431\n vfs_symlink+0x137/0x2e0 fs/namei.c:4615\n do_symlinkat+0x222/0x3a0 fs/namei.c:4641\n __do_sys_symlink fs/namei.c:4662 [inline]\n __se_sys_symlink fs/namei.c:4660 [inline]\n __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nThe following loop is located right above 'if' statement.\n\nfor (i = count-1; i >= 0; i--) {\n\t/* is more than half of this entry in 2nd half of the block? */\n\tif (size + map[i].size/2 > blocksize/2)\n\t\tbreak;\n\tsize += map[i].size;\n\tmove++;\n}\n\n'i' in this case could go down to -1, in which case sum of active entries\nwouldn't exceed half the block size, but previous behaviour would also do\nsplit in half if sum would exceed at the very last block, which in case of\nhaving too many long name files in a single block could lead to\nout-of-bounds access and following use-after-free.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ext4: se corrige el error de uno en uno en do_split Syzkaller detect\u00f3 un problema de use-after-free en ext4_insert_dentry que fue causado por un acceso fuera de los l\u00edmites debido a una divisi\u00f3n incorrecta en do_split. ERROR: KASAN: use-after-free en ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Escritura de tama\u00f1o 251 en la direcci\u00f3n ffff888074572f14 por la tarea syz-executor335/5847 CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 No contaminado 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 30/10/2024 Rastreo de llamadas: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431 vfs_symlink+0x137/0x2e0 fs/namei.c:4615 do_symlinkat+0x222/0x3a0 fs/namei.c:4641 __do_sys_symlink fs/namei.c:4662 [inline] __se_sys_symlink fs/namei.c:4660 [inline] __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f El siguiente bucle se encuentra justo encima de la declaraci\u00f3n 'if'. for (i = count-1; i &gt;= 0; i--) { /* \u00bfhay m\u00e1s de la mitad de esta entrada en la 2da mitad del bloque? */ if (size + map[i].size/2 &gt; blocksize/2) break; size += map[i].size; move++; } En este caso, la 'i' podr\u00eda bajar a -1, en cuyo caso la suma de las entradas activas no superar\u00eda la mitad del tama\u00f1o del bloque. Sin embargo, el comportamiento anterior tambi\u00e9n se dividir\u00eda por la mitad si la suma superara el tama\u00f1o del \u00faltimo bloque. Esto, al tener demasiados archivos con nombres largos en un solo bloque, podr\u00eda provocar un acceso fuera de los l\u00edmites y el consiguiente uso despu\u00e9s de la liberaci\u00f3n. Encontrado por el Centro de Verificaci\u00f3n de Linux (linuxtesting.org) con Syzkaller."}], "id": "CVE-2025-23150", "lastModified": "2025-05-02T13:53:20.943", "metrics": {}, "published": "2025-05-01T13:15:50.893", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/16d9067f00e3a7d1df7c3aa9c20d214923d27e10"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/17df39f455f1289319d4d09e4826aa46852ffd17"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2883e9e74f73f9265e5f8d1aaaa89034b308e433"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2eeb1085bf7bd5c7ba796ca4119925fa5d336a3f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/35d0aa6db9d93307085871ceab8a729594a98162"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/515c34cff899eb5dae6aa7eee01c1295b07d81af"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/94824ac9a8aaf2fb3c54b4bdde842db80ffa555d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ab0cc5c25552ae0d20eae94b40a93be11b080fc5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b96bd2c3db26ad0daec5b78c85c098b53900e2e1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2025:9348", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "kernel-0:6.12.0-55.18.1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-06-23T00:00:00Z"}, {"advisory": "RHSA-2025:9302", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-570.23.1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-06-23T00:00:00Z"}, {"advisory": "RHSA-2025:9302", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-570.23.1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-06-23T00:00:00Z"}], "bugzilla": {"description": "kernel: ext4: fix off-by-one error in do_split", "id": "2363268", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363268"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\next4: fix off-by-one error in do_split\nSyzkaller detected a use-after-free issue in ext4_insert_dentry that was\ncaused by out-of-bounds access due to incorrect splitting in do_split.\nBUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\nWrite of size 251 at addr ffff888074572f14 by task syz-executor335/5847\nCPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:377 [inline]\nprint_report+0x169/0x550 mm/kasan/report.c:488\nkasan_report+0x143/0x180 mm/kasan/report.c:601\nkasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\next4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\nadd_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154\nmake_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351\next4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455\next4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796\next4_symlink+0x920/0xb50 fs/ext4/namei.c:3431\nvfs_symlink+0x137/0x2e0 fs/namei.c:4615\ndo_symlinkat+0x222/0x3a0 fs/namei.c:4641\n__do_sys_symlink fs/namei.c:4662 [inline]\n__se_sys_symlink fs/namei.c:4660 [inline]\n__x64_sys_symlink+0x7a/0x90 fs/namei.c:4660\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n</TASK>\nThe following loop is located right above 'if' statement.\nfor (i = count-1; i >= 0; i--) {\n/* is more than half of this entry in 2nd half of the block? */\nif (size + map[i].size/2 > blocksize/2)\nbreak;\nsize += map[i].size;\nmove++;\n}\n'i' in this case could go down to -1, in which case sum of active entries\nwouldn't exceed half the block size, but previous behaviour would also do\nsplit in half if sum would exceed at the very last block, which in case of\nhaving too many long name files in a single block could lead to\nout-of-bounds access and following use-after-free.\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."], "name": "CVE-2025-23150", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-23150\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23150\nhttps://lore.kernel.org/linux-cve-announce/2025050127-CVE-2025-23150-15b8@gregkh/T"], "threat_severity": "Moderate"}