CVE-2025-40044 in Linux
Summary
by MITRE • 10/28/2025
In the Linux kernel, the following vulnerability has been resolved:
fs: udf: fix OOB read in lengthAllocDescs handling
When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read.
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK>
Validate the computed total length against epos->bh->b_size.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/20/2026
The vulnerability CVE-2025-40044 represents a critical out-of-bounds read condition within the Linux kernel's Universal Disk Format (UDF) filesystem implementation. This flaw exists in the handling of Allocation Extent Descriptors where the lengthAllocDescs field is directly read from on-disk data without proper validation against the block size. The issue manifests when processing crafted or corrupted UDF images that manipulate this field to exceed buffer boundaries, causing the udf_update_tag() function to invoke crc_itu_t() on memory locations that extend beyond the allocated buffer space. This particular vulnerability falls under the category of buffer over-read conditions and is classified as a use-after-free error as evidenced by the KASAN report indicating a read of size 1 at address ffff888041e7d000 by the syz-executor317 process.
The technical execution of this vulnerability occurs during the parsing of UDF filesystem structures where the kernel calculates the total descriptor length by summing sizeof(allocExtDesc) with lengthAllocDescs. When this computed value surpasses the actual buffer size contained in epos->bh->b_size, subsequent memory access operations trigger invalid memory reads that can potentially lead to system instability or information disclosure. The call trace demonstrates this vulnerability propagates through the filesystem stack starting from udf_update_tag() which calls crc_itu_t() on invalid memory addresses, ultimately leading to kernel memory corruption during file operations involving extent truncation and release. This represents a classic example of improper input validation where untrusted on-disk data is processed without adequate bounds checking, directly violating security principles that mandate sanitization of all external inputs.
The operational impact of this vulnerability extends beyond simple memory corruption as it can potentially enable attackers to exploit the kernel's memory management subsystem through crafted UDF images. The vulnerability is particularly concerning because it can be triggered through file system operations on mounted UDF volumes, making it exploitable in scenarios involving removable media, optical discs, or network-mounted UDF filesystems. The fact that this vulnerability was discovered by the Linux Verification Center using Syzkaller indicates it represents a systematic flaw in the kernel's filesystem validation logic that could potentially be weaponized to achieve privilege escalation or denial of service conditions. From an ATT&CK perspective, this vulnerability aligns with techniques involving kernel memory corruption and privilege escalation through filesystem manipulation, while CWE classification places it under CWE-129: Improper Validation of Array Index, which specifically addresses inadequate bounds checking in array access operations.
Mitigation strategies for CVE-2025-40044 should focus on implementing robust input validation mechanisms within the UDF filesystem driver to ensure that lengthAllocDescs values are properly constrained against available buffer space. The fix must validate the computed total length against epos->bh->b_size before proceeding with memory operations, effectively preventing the out-of-bounds access that leads to the use-after-free condition. System administrators should prioritize applying the kernel patch that addresses this specific validation issue, particularly in environments handling untrusted UDF media or where UDF filesystems are mounted from removable devices. Additionally, monitoring for unusual filesystem access patterns and implementing proper filesystem integrity checks can help detect potential exploitation attempts. The vulnerability highlights the critical importance of input validation in kernel space operations and reinforces the necessity of comprehensive testing methodologies including fuzzing tools like Syzkaller to identify such memory safety issues before they can be exploited in production environments.