CVE-2025-68761

In the Linux kernel's HFS filesystem implementation, the function hfs_correct_next_unused_CNID() contains a use-after-free vulnerability. The call hfs_bnode_put(node) releases the reference count on a buffer node, after which the code dereferences node on the next line. This violates the kernel's memory safety rules, as accessing the node after dropping the reference can lead to accessing freed memory [1].

The vulnerability is triggered during normal filesystem operations when hfs_correct_next_unused_CNID() is executed. The function is invoked as part of catalog node management in the HFS driver. No special privileges or unusual conditions are required beyond mounting an HFS filesystem and performing operations that call this function. The flaw exists in the order of operations: decrementing the reference count before the final use of the node pointer [1].

An attacker who can trigger the vulnerable code path (e.g., by mounting a crafted HFS filesystem or causing specific file operations) could potentially exploit the use-after-free to achieve memory corruption. In the worst case, this might lead to a denial of service (system crash) or, with careful heap manipulation, arbitrary code execution in kernel context. The CVSS score of 7.8 (High) reflects the potential for high impact on confidentiality, integrity, and availability, though exploitation requires local access and low complexity [1].

The fix is straightforward and has been applied to the stable kernel tree. The patch swaps the two lines, ensuring hfs_bnode_put(node) is called only after the node is no longer needed. Users should update their Linux kernel to a version containing this commit. No workaround is available without patching, as the bug is in core HFS code. This CVE is not known to be on the CISA KEV list.