{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39735", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.119Z", "datePublished": "2025-04-18T07:01:36.453Z", "dateUpdated": "2025-04-18T07:01:36.453Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-04-18T07:01:36.453Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix slab-out-of-bounds read in ea_get()\n\nDuring the \"size_check\" label in ea_get(), the code checks if the extended\nattribute list (xattr) size matches ea_size. If not, it logs\n\"ea_get: invalid extended attribute\" and calls print_hex_dump().\n\nHere, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds\nINT_MAX (2,147,483,647). Then ea_size is clamped:\n\n\tint size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));\n\nAlthough clamp_t aims to bound ea_size between 0 and 4110417968, the upper\nlimit is treated as an int, causing an overflow above 2^31 - 1. This leads\n\"size\" to wrap around and become negative (-184549328).\n\nThe \"size\" is then passed to print_hex_dump() (called \"len\" in\nprint_hex_dump()), it is passed as type size_t (an unsigned\ntype), this is then stored inside a variable called\n\"int remaining\", which is then assigned to \"int linelen\" which\nis then passed to hex_dump_to_buffer(). In print_hex_dump()\nthe for loop, iterates through 0 to len-1, where len is\n18446744073525002176, calling hex_dump_to_buffer()\non each iteration:\n\n\tfor (i = 0; i < len; i += rowsize) {\n\t\tlinelen = min(remaining, rowsize);\n\t\tremaining -= rowsize;\n\n\t\thex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,\n\t\t\t\t linebuf, sizeof(linebuf), ascii);\n\n\t\t...\n\t}\n\nThe expected stopping condition (i < len) is effectively broken\nsince len is corrupted and very large. This eventually leads to\nthe \"ptr+i\" being passed to hex_dump_to_buffer() to get closer\nto the end of the actual bounds of \"ptr\", eventually an out of\nbounds access is done in hex_dump_to_buffer() in the following\nfor loop:\n\n\tfor (j = 0; j < len; j++) {\n\t\t\tif (linebuflen < lx + 2)\n\t\t\t\tgoto overflow2;\n\t\t\tch = ptr[j];\n\t\t...\n\t}\n\nTo fix this we should validate \"EALIST_SIZE(ea_buf->xattr)\"\nbefore it is utilised."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/jfs/xattr.c"], "versions": [{"version": "6e39b681d1eb16f408493bf5023788b57f68998c", "lessThan": "3d6fd5b9c6acbc005e53d0211c7381f566babec1", "status": "affected", "versionType": "git"}, {"version": "bbf3f1fd8a0ac7df1db36a9b9e923041a14369f2", "lessThan": "50afcee7011155933d8d5e8832f52eeee018cfd3", "status": "affected", "versionType": "git"}, {"version": "27a93c45e16ac25a0e2b5e5668e2d1beca56a478", "lessThan": "78c9cbde8880ec02d864c166bcb4fe989ce1d95f", "status": "affected", "versionType": "git"}, {"version": "9c356fc32a4480a2c0e537a05f2a8617633ddad0", "lessThan": "46e2c031aa59ea65128991cbca474bd5c0c2ecdb", "status": "affected", "versionType": "git"}, {"version": "9353cdf28d4c5c0ff19c5df7fbf81ea774de43a4", "lessThan": "a8c31808925b11393a6601f534bb63bac5366bab", "status": "affected", "versionType": "git"}, {"version": "8c505ebeed8045b488b2e60b516c752b851f8437", "lessThan": "0beddc2a3f9b9cf7d8887973041e36c2d0fa3652", "status": "affected", "versionType": "git"}, {"version": "d9f9d96136cba8fedd647d2c024342ce090133c2", "lessThan": "16d3d36436492aa248b2d8045e75585ebcc2f34d", "status": "affected", "versionType": "git"}, {"version": "d9f9d96136cba8fedd647d2c024342ce090133c2", "lessThan": "5263822558a8a7c0d0248d5679c2dcf4d5cda61f", "status": "affected", "versionType": "git"}, {"version": "d9f9d96136cba8fedd647d2c024342ce090133c2", "lessThan": "fdf480da5837c23b146c4743c18de97202fcab37", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/jfs/xattr.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.292", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.236", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.180", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.134", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.87", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.23", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.11", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.2", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/3d6fd5b9c6acbc005e53d0211c7381f566babec1"}, {"url": "https://git.kernel.org/stable/c/50afcee7011155933d8d5e8832f52eeee018cfd3"}, {"url": "https://git.kernel.org/stable/c/78c9cbde8880ec02d864c166bcb4fe989ce1d95f"}, {"url": "https://git.kernel.org/stable/c/46e2c031aa59ea65128991cbca474bd5c0c2ecdb"}, {"url": "https://git.kernel.org/stable/c/a8c31808925b11393a6601f534bb63bac5366bab"}, {"url": "https://git.kernel.org/stable/c/0beddc2a3f9b9cf7d8887973041e36c2d0fa3652"}, {"url": "https://git.kernel.org/stable/c/16d3d36436492aa248b2d8045e75585ebcc2f34d"}, {"url": "https://git.kernel.org/stable/c/5263822558a8a7c0d0248d5679c2dcf4d5cda61f"}, {"url": "https://git.kernel.org/stable/c/fdf480da5837c23b146c4743c18de97202fcab37"}], "title": "jfs: fix slab-out-of-bounds read in ea_get()", "x_generator": {"engine": "bippy-1.0.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C960EB7-4E90-49E0-BB92-BE6F1B8CF26F", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.325", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "16E1C46D-7C0B-4307-928A-8D0ABDF8D1B8", "versionEndExcluding": "5.4.292", "versionStartIncluding": "5.4.287", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F0C4A9A-87C3-4779-923D-5E19C9A26EA9", "versionEndExcluding": "5.10.236", "versionStartIncluding": "5.10.231", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6B383DC-5ED6-4326-885D-2F161A71E2D5", "versionEndExcluding": "5.15.180", "versionStartIncluding": "5.15.174", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B9344B2D-88D1-4540-9748-8CC37D3B25C8", "versionEndExcluding": "6.1.134", "versionStartIncluding": "6.1.120", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "042FFA18-3C6A-4999-AB8F-4F6F5902BEEA", "versionEndExcluding": "6.6.87", "versionStartIncluding": "6.6.64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CBF5F6E-D446-4CAE-AAA4-413442319824", "versionEndExcluding": "6.12", "versionStartIncluding": "6.11.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5C71FC9-A61C-431A-9215-38D09F5A2FF3", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.12.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix slab-out-of-bounds read in ea_get()\n\nDuring the \"size_check\" label in ea_get(), the code checks if the extended\nattribute list (xattr) size matches ea_size. If not, it logs\n\"ea_get: invalid extended attribute\" and calls print_hex_dump().\n\nHere, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds\nINT_MAX (2,147,483,647). Then ea_size is clamped:\n\n\tint size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));\n\nAlthough clamp_t aims to bound ea_size between 0 and 4110417968, the upper\nlimit is treated as an int, causing an overflow above 2^31 - 1. This leads\n\"size\" to wrap around and become negative (-184549328).\n\nThe \"size\" is then passed to print_hex_dump() (called \"len\" in\nprint_hex_dump()), it is passed as type size_t (an unsigned\ntype), this is then stored inside a variable called\n\"int remaining\", which is then assigned to \"int linelen\" which\nis then passed to hex_dump_to_buffer(). In print_hex_dump()\nthe for loop, iterates through 0 to len-1, where len is\n18446744073525002176, calling hex_dump_to_buffer()\non each iteration:\n\n\tfor (i = 0; i < len; i += rowsize) {\n\t\tlinelen = min(remaining, rowsize);\n\t\tremaining -= rowsize;\n\n\t\thex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,\n\t\t\t\t linebuf, sizeof(linebuf), ascii);\n\n\t\t...\n\t}\n\nThe expected stopping condition (i < len) is effectively broken\nsince len is corrupted and very large. This eventually leads to\nthe \"ptr+i\" being passed to hex_dump_to_buffer() to get closer\nto the end of the actual bounds of \"ptr\", eventually an out of\nbounds access is done in hex_dump_to_buffer() in the following\nfor loop:\n\n\tfor (j = 0; j < len; j++) {\n\t\t\tif (linebuflen < lx + 2)\n\t\t\t\tgoto overflow2;\n\t\t\tch = ptr[j];\n\t\t...\n\t}\n\nTo fix this we should validate \"EALIST_SIZE(ea_buf->xattr)\"\nbefore it is utilised."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jfs: correcci\u00f3n de lectura fuera de los l\u00edmites de slab en ea_get(). Durante la etiqueta \"size_check\" en ea_get(), el c\u00f3digo comprueba si el tama\u00f1o de la lista de atributos extendidos (xattr) coincide con ea_size. De lo contrario, registra \"ea_get: atributo extendido no v\u00e1lido\" y llama a print_hex_dump(). En este caso, EALIST_SIZE(ea_buf-&gt;xattr) devuelve 4110417968, que excede INT_MAX (2147483647). A continuaci\u00f3n, se fija ea_size: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf-&gt;xattr)); Aunque clamp_t busca limitar ea_size entre 0 y 4110417968, el l\u00edmite superior se trata como un entero, lo que provoca un desbordamiento por encima de 2^31 - 1. Esto hace que \"size\" se repita y se vuelva negativo (-184549328). El \"size\" se pasa a print_hex_dump() (llamado \"len\" en print_hex_dump()) como tipo size_t (un tipo sin signo). Este se almacena en una variable llamada \"int remaining\", que se asigna a \"int linelen\", que a su vez se pasa a hex_dump_to_buffer(). En print_hex_dump(), el bucle for itera desde 0 hasta len-1, donde len es 18446744073525002176 y llama a hex_dump_to_buffer() en cada iteraci\u00f3n: for (i = 0; i &lt; len; i += rowsize) { linelen = min(remaining, rowsize); remaining -= rowsize; hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii); ... } La condici\u00f3n de detenci\u00f3n esperada (i &lt; len) se rompe efectivamente ya que len est\u00e1 da\u00f1ado y es muy grande. Esto eventualmente lleva a que \"ptr+i\" se pase a hex_dump_to_buffer() para acercarse al final de los l\u00edmites reales de \"ptr\", eventualmente se realiza un acceso fuera de los l\u00edmites en hex_dump_to_buffer() en el siguiente bucle for: for (j = 0; j &lt; len; j++) { if (linebuflen &lt; lx + 2) goto overflow2; ch = ptr[j]; ... } Para solucionar esto debemos validar \"EALIST_SIZE(ea_buf-&gt;xattr)\" antes de utilizarlo."}], "id": "CVE-2025-39735", "lastModified": "2025-04-28T14:37:34.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-18T07:15:44.150", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0beddc2a3f9b9cf7d8887973041e36c2d0fa3652"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/16d3d36436492aa248b2d8045e75585ebcc2f34d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3d6fd5b9c6acbc005e53d0211c7381f566babec1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/46e2c031aa59ea65128991cbca474bd5c0c2ecdb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/50afcee7011155933d8d5e8832f52eeee018cfd3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5263822558a8a7c0d0248d5679c2dcf4d5cda61f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/78c9cbde8880ec02d864c166bcb4fe989ce1d95f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a8c31808925b11393a6601f534bb63bac5366bab"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fdf480da5837c23b146c4743c18de97202fcab37"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: jfs: fix slab-out-of-bounds read in ea_get()", "id": "2360930", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2360930"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["In the Linux kernel, the following vulnerability has been resolved:\njfs: fix slab-out-of-bounds read in ea_get()\nDuring the \"size_check\" label in ea_get(), the code checks if the extended\nattribute list (xattr) size matches ea_size. If not, it logs\n\"ea_get: invalid extended attribute\" and calls print_hex_dump().\nHere, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds\nINT_MAX (2,147,483,647). Then ea_size is clamped:\nint size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));\nAlthough clamp_t aims to bound ea_size between 0 and 4110417968, the upper\nlimit is treated as an int, causing an overflow above 2^31 - 1. This leads\n\"size\" to wrap around and become negative (-184549328).\nThe \"size\" is then passed to print_hex_dump() (called \"len\" in\nprint_hex_dump()), it is passed as type size_t (an unsigned\ntype), this is then stored inside a variable called\n\"int remaining\", which is then assigned to \"int linelen\" which\nis then passed to hex_dump_to_buffer(). In print_hex_dump()\nthe for loop, iterates through 0 to len-1, where len is\n18446744073525002176, calling hex_dump_to_buffer()\non each iteration:\nfor (i = 0; i < len; i += rowsize) {\nlinelen = min(remaining, rowsize);\nremaining -= rowsize;\nhex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,\nlinebuf, sizeof(linebuf), ascii);\n...\n}\nThe expected stopping condition (i < len) is effectively broken\nsince len is corrupted and very large. This eventually leads to\nthe \"ptr+i\" being passed to hex_dump_to_buffer() to get closer\nto the end of the actual bounds of \"ptr\", eventually an out of\nbounds access is done in hex_dump_to_buffer() in the following\nfor loop:\nfor (j = 0; j < len; j++) {\nif (linebuflen < lx + 2)\ngoto overflow2;\nch = ptr[j];\n...\n}\nTo fix this we should validate \"EALIST_SIZE(ea_buf->xattr)\"\nbefore it is utilised."], "name": "CVE-2025-39735", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-39735\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39735\nhttps://lore.kernel.org/linux-cve-announce/2025041820-CVE-2025-39735-41c8@gregkh/T"], "threat_severity": "Moderate"}