VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 28, 2025· Updated Apr 15, 2026

CVE-2025-40044

CVE-2025-40044

Description

In the Linux kernel, the following vulnerability has been resolved:

fs: udf: fix OOB read in lengthAllocDescs handling

When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read.

BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309

CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace:

__dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Validate the computed total length against epos->bh->b_size.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's UDF filesystem, a missing validation of the lengthAllocDescs field in Allocation Extent Descriptors allows an out-of-bounds read, leading to a KASAN use-after-free.

Vulnerability

CVE-2025-40044 is an out-of-bounds (OOB) read vulnerability in the Linux kernel's UDF (Universal Disk Format) filesystem implementation. The root cause lies in the lengthAllocDescs field of an Allocation Extent Descriptor, which is read directly from on-disk data without proper validation against the block size. When a crafted or corrupted UDF image sets lengthAllocDescs to a value that causes the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) to exceed the allocated buffer, subsequent calls to udf_update_tag() invoke crc_itu_t() on memory beyond the buffer boundary, triggering a KASAN use-after-free read [1][2].

Exploitation

Exploitation requires an attacker requires the ability to mount a maliciously crafted UDF filesystem image. No special privileges beyond the ability to mount a filesystem are needed; the attack can be triggered by a local user mounting a corrupted image or by a system automatically mounting a removable medium containing such an image. The vulnerability is reachable through the normal file release path (udf_release_file), which calls udf_truncate_tail_extent and eventually udf_write_aext, where the flawed length validation occurs [1][2].

Impact

A successful exploit results in an out-of-bounds read that can cause a kernel crash (denial of service) or potentially leak sensitive kernel memory. The KASAN report confirms a read of size 1 at an invalid address, indicating that the vulnerability can be reliably triggered to cause a system panic [1].

Mitigation

The fix has been applied to the Linux kernel stable tree in commits [1], [2], [3], and [4], which add a validation check for lengthAllocDescs against the block size before using it. Users should update their kernel to a version containing these patches. No workaround is available other than avoiding the mounting of untrusted UDF images.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

8
14496175b264
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d2ed9aa8ae50
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
1d1847812a1a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
918649364fbc
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a70dcfa8d0a0
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
b57f2d7d3e6b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
459404f85821
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
3bd5e45c2ce3
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.