CVE-2025-40306

Vulnerability: xattr Buffer Overflow in OrangeFS

The vulnerability resides in the xattr_key() helper function within the OrangeFS file system code in the Linux kernel. The function uses the pointer variable key in the loop condition rather than dereferencing it. As key is incremented, it remains non-NULL until it encounters unmapped memory, so the loop never terminates on valid C strings. This results in an infinite loop that walks memory indefinitely, consuming CPU or hanging the thread [1]. The bug was discovered by Disclosure and forwarded by Willy Tarreau.

Exploitation and

Attack Surface

The issue is triggered by legitimate xattr operations such as setfattr or getfattr. Reproducing the bug causes a kernel oops, hung user processes, and corrupted OrangeFS files. No special privileges are required beyond the ability to set or get extended attributes on an OrangeFS filesystem [1]. The second aspect of the vulnerability is a memory leak and hash bucket misrouting. xattr_key() returns a hashed key, but when adding xattrs to the OrangeFS xattr cache, the kernel macro hash_add rehashes the key using hash_log, resulting in cache entries being placed in the wrong hash bucket. This was exposed by xfstest generic/069 [1].

Impact

An attacker who can perform xattr operations can cause a denial of service (DoS) through infinite loops and kernel panics. Additionally, the hash bucket misrouting leads to a memory leak where every getattr for an xattr like "security.capability" results in a kmalloc that is never freed. This can quickly exhaust system memory (OOM), crashing the system [1].

Mitigation

The fix replaces the two uses of hash_add with hlist_add_head and corrects the looping condition in xattr_key(). The stable kernel patches are available at commits [2] and [3]. Users should update to the latest stable kernel to mitigate this vulnerability.