VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 13, 2026· Updated Apr 15, 2026

CVE-2025-68767

CVE-2025-68767

Description

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: Verify inode mode when loading from disk

syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 16bits "mode" field loaded from disk are corrupted.

According to [1], the permissions field was treated as reserved in Mac OS 8 and 9. According to [2], the reserved field was explicitly initialized with 0, and that field must remain 0 as long as reserved. Therefore, when the "mode" field is not 0 (i.e. no longer reserved), the file must be S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/ S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel HFS+ driver lacks validation of on-disk inode mode bits, allowing corrupted S_IFMT values to cause undefined behavior.

Vulnerability

Overview

CVE-2025-68767 is a missing input validation flaw in the Linux kernel's HFS+ filesystem driver. When loading an inode from disk, the driver does not verify that the S_IFMT bits of inode->i_mode are consistent with the directory flag stored in the HFS+ catalog record. As documented in Mac OS 8/9, the permission field in the on-disk structure was initially reserved and initialized to zero [1]. A non-zero value in this field still implies the file type must match the directory flag: if the directory flag is set, the inode must be a directory (S_IFDIR); if not, the inode must be one of S_IFREG, S_IFLNK, S_IFCHR, S_IFBLK, S_IFIFO, or S_IFSOCK [2]. The kernel version without this fix accepts any combination, leading to bogus i_mode values.

Exploitation

An attacker with the ability to write to an HFS+ filesystem — for example, via a maliciously crafted disk image or by exploiting a separate write primitive on a mounted volume — can modify the on-disk mode field of any file or directory. When the filesystem is next mounted or the inode is accessed, the kernel reads the corrupted mode and assigns an invalid S_IFMT type to the inode. No authentication is required beyond physical or logical access to modify the filesystem blocks, and no special privileges are needed to trigger the flawed validation path during normal stat() or lookup() operations.

Impact

By forcing an inode to have an incorrect file type (for example, marking a regular file as a directory or a FIFO as a block device), an attacker can induce unexpected behavior in kernel subsystems that rely on i_mode for permission checks, file operations, and VFS switching. This can lead to denial-of-service through kernel crashes, or potentially to privilege escalation if the corrupted type causes the kernel to execute code paths with incorrect security checks. The bug was discovered via syzbot fuzzing, indicating it is easily reachable from malicious filesystem images.

Mitigation

The Linux kernel upstream has committed a fix that validates the S_IFMT bits against the directory flag on every inode load from disk [3]. The fix ensures that any on-disk corruption results in an error (EIO) rather than an unstable inode. Affected distributions should backport the patch or update to a kernel version containing the commit. No workaround exists short of not mounting untrusted HFS+ volumes.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.