CVE-2025-68237
Description
In the Linux kernel, the following vulnerability has been resolved:
mtdchar: fix integer overflow in read/write ioctls
The "req.start" and "req.len" variables are u64 values that come from the user at the start of the function. We mask away the high 32 bits of "req.len" so that's capped at U32_MAX but the "req.start" variable can go up to U64_MAX which means that the addition can still integer overflow.
Use check_add_overflow() to fix this bug.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in mtdchar read/write ioctls in Linux kernel allows potential memory corruption due to unchecked addition of user-supplied 64-bit start and length values.
The vulnerability resides in the mtdchar driver's handling of read and write ioctl commands. The user-supplied req.start and req.len fields are both 64-bit unsigned integers (u64). While req.len is masked to 32 bits, capping it at U32_MAX, req.start can be as large as U64_MAX. The addition start + len is performed without overflow checking, leading to possible integer wrap-around.
To trigger the overflow, an attacker must have access to an MTD character device (e.g., /dev/mtd*) and the ability to issue the relevant ioctl calls. No authentication beyond file access is needed. By providing a large start value, the subsequent offset calculation wraps, potentially causing the driver to read or write to a memory region outside the intended MTD partition.
Successful exploitation could allow an attacker to read sensitive kernel memory or corrupt data within the device's memory space. This could lead to information disclosure, privilege escalation, or denial of service. The exact impact depends on the kernel configuration and the specific MTD device.
The fix, introduced in Linux kernel stable updates, adds a check_add_overflow() call before the addition to safely detect and handle overflow conditions. Patches are available for affected stable kernels [1][2]. Users should update their kernel to a version containing the fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/37944f4f8199cd153fef74e95ca268020162f212nvd
- git.kernel.org/stable/c/457376c6fbf0c69326a9bf1f72416225f681192bnvd
- git.kernel.org/stable/c/e4185bed738da755b191aa3f2e16e8b48450e1b8nvd
- git.kernel.org/stable/c/eb9361484814fb12f3b7544b33835ea67d7a6a97nvd
- git.kernel.org/stable/c/f37efdd97fd1ec3e0d0f1eec279c8279e28f981envd
News mentions
0No linked articles in our index yet.