{"id":"CVE-2025-22036","summary":"exfat: fix random stack corruption after get_block","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix random stack corruption after get_block\n\nWhen get_block is called with a buffer_head allocated on the stack, such\nas do_mpage_readpage, stack corruption due to buffer_head UAF may occur in\nthe following race condition situation.\n\n     \u003cCPU 0\u003e                      \u003cCPU 1\u003e\nmpage_read_folio\n  \u003c\u003cbh on stack\u003e\u003e\n  do_mpage_readpage\n    exfat_get_block\n      bh_read\n        __bh_read\n\t  get_bh(bh)\n          submit_bh\n          wait_on_buffer\n                              ...\n                              end_buffer_read_sync\n                                __end_buffer_read_notouch\n                                   unlock_buffer\n          \u003c\u003ckeep going\u003e\u003e\n        ...\n      ...\n    ...\n  ...\n\u003c\u003cbh is not valid out of mpage_read_folio\u003e\u003e\n   .\n   .\nanother_function\n  \u003c\u003cvariable A on stack\u003e\u003e\n                                   put_bh(bh)\n                                     atomic_dec(bh-\u003eb_count)\n  * stack corruption here *\n\nThis patch returns -EAGAIN if a folio does not have buffers when bh_read\nneeds to be called. By doing this, the caller can fallback to functions\nlike block_read_full_folio(), create a buffer_head in the folio, and then\ncall get_block again.\n\nLet's do not call bh_read() with on-stack buffer_head.","modified":"2026-04-02T12:45:19.858756Z","published":"2025-04-16T14:11:54.916Z","related":["ALSA-2025:10854","SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:20343-1","SUSE-SU-2025:20344-1","SUSE-SU-2025:20354-1","SUSE-SU-2025:20355-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22036.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1bb7ff4204b6d4927e982cd256286c09ed4fd8ca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/49b0a6ab8e528a0c1c50e37cef9b9c7c121365f2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f7447286363dc1e410bf30b87d75168f3519f9cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f807a6bf2005740fa26b4f59c4a003dc966b9afd"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22036.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22036"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"11a347fb6cef62ce47e84b97c45f2b2497c7593b"},{"fixed":"49b0a6ab8e528a0c1c50e37cef9b9c7c121365f2"},{"fixed":"f7447286363dc1e410bf30b87d75168f3519f9cc"},{"fixed":"f807a6bf2005740fa26b4f59c4a003dc966b9afd"},{"fixed":"1bb7ff4204b6d4927e982cd256286c09ed4fd8ca"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22036.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}