CVE-2025-68774
Description
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
When sync() and link() are called concurrently, both threads may enter hfs_bnode_find() without finding the node in the hash table and proceed to create it.
Thread A: hfsplus_write_inode() -> hfsplus_write_system_inode() -> hfs_btree_write() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0)
Thread B: hfsplus_create_cat() -> hfs_brec_insert() -> hfs_bnode_split() -> hfs_bmap_alloc() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0)
In this case, thread A creates the bnode, sets refcnt=1, and hashes it. Thread B also tries to create the same bnode, notices it has already been inserted, drops its own instance, and uses the hashed one without getting the node.
node2 = hfs_bnode_findhash(tree, cnid);
if (!node2) { <- Thread A
hash = hfs_bnode_hash(cnid);
node->next_hash = tree->node_hash[hash];
tree->node_hash[hash] = node;
tree->node_hash_cnt++;
} else { <- Thread B
spin_unlock(&tree->hash_lock);
kfree(node);
wait_event(node2->lock_wq,
!test_bit(HFS_BNODE_NEW, &node2->flags));
return node2;
}
However, hfs_bnode_find() requires each call to take a reference. Here both threads end up setting refcnt=1. When they later put the node, this triggers:
BUG_ON(!atomic_read(&node->refcnt))
In this scenario, Thread B in fact finds the node in the hash table rather than creating a new one, and thus must take a reference.
Fix this by calling hfs_bnode_get() when reusing a bnode newly created by another thread to ensure the refcount is updated correctly.
A similar bug was fixed in HFS long ago in commit a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create") but the same issue remained in HFS+ until now.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing hfs_bnode_get() in __hfs_bnode_create causes a refcount underflow BUG when sync() and link() race in the Linux kernel HFS+ filesystem.
Root
Cause
In the Linux kernel's HFS+ filesystem, the function __hfs_bnode_create() did not call hfs_bnode_get() when a thread reuses a bnode that was concurrently created by another thread. When two threads (e.g., hfsplus_write_inode and hfsplus_create_cat) collide while looking up node 0, both enter hfs_bnode_find() and then __hfs_bnode_create(). The first thread creates the bnode, sets refcnt=1, and inserts it into the hash table. The second thread finds the already-hashed node, kfree's its own allocation, and returns the hashed node without incrementing the reference count. This leaves refcnt=1 even though two callers now hold references, leading to a BUG_ON(!atomic_read(&node->refcnt)) when both callers later put the node [1].
Attack
Vector
Exploitation requires local access and the ability to trigger concurrent sync() and link() or similar operations on a mounted HFS+ filesystem. No special privileges beyond normal file operations are needed, making the bug a local denial-of-service (DoS) vector. The race window is tight but deterministic due to the order of operations inside __hfs_bnode_create [2].
Impact
A successful race causes a kernel BUG (refcount underflow), resulting in a system crash or hang. The attacker gains no code execution or privilege escalation; the impact is limited to a local denial-of-service. The vulnerability has a CVSS v3 score of 5.5 (medium), reflecting the need for local access and the availability-only impact [3].
Mitigation
The fix, which adds hfs_bnode_get() when reusing a bnode (similar to the HFS fix in commit a9dc087fd3c4), has been backported to stable kernel trees. Users should apply the latest kernel updates to prevent exploitation. No workarounds exist beyond ensuring a single thread performs HFS+ metadata operations.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466anvd
- git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342dnvd
- git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56nvd
- git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6nvd
- git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071envd
- git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86nvd
- git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50nvd
News mentions
0No linked articles in our index yet.