{"id":"CVE-2025-38713","summary":"hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()\n\nThe hfsplus_readdir() method is capable to crash by calling\nhfsplus_uni2asc():\n\n[  667.121659][ T9805] ==================================================================\n[  667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10\n[  667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805\n[  667.124578][ T9805]\n[  667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full)\n[  667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[  667.124890][ T9805] Call Trace:\n[  667.124893][ T9805]  \u003cTASK\u003e\n[  667.124896][ T9805]  dump_stack_lvl+0x10e/0x1f0\n[  667.124911][ T9805]  print_report+0xd0/0x660\n[  667.124920][ T9805]  ? __virt_addr_valid+0x81/0x610\n[  667.124928][ T9805]  ? __phys_addr+0xe8/0x180\n[  667.124934][ T9805]  ? hfsplus_uni2asc+0x902/0xa10\n[  667.124942][ T9805]  kasan_report+0xc6/0x100\n[  667.124950][ T9805]  ? hfsplus_uni2asc+0x902/0xa10\n[  667.124959][ T9805]  hfsplus_uni2asc+0x902/0xa10\n[  667.124966][ T9805]  ? hfsplus_bnode_read+0x14b/0x360\n[  667.124974][ T9805]  hfsplus_readdir+0x845/0xfc0\n[  667.124984][ T9805]  ? __pfx_hfsplus_readdir+0x10/0x10\n[  667.124994][ T9805]  ? stack_trace_save+0x8e/0xc0\n[  667.125008][ T9805]  ? iterate_dir+0x18b/0xb20\n[  667.125015][ T9805]  ? trace_lock_acquire+0x85/0xd0\n[  667.125022][ T9805]  ? lock_acquire+0x30/0x80\n[  667.125029][ T9805]  ? iterate_dir+0x18b/0xb20\n[  667.125037][ T9805]  ? down_read_killable+0x1ed/0x4c0\n[  667.125044][ T9805]  ? putname+0x154/0x1a0\n[  667.125051][ T9805]  ? __pfx_down_read_killable+0x10/0x10\n[  667.125058][ T9805]  ? apparmor_file_permission+0x239/0x3e0\n[  667.125069][ T9805]  iterate_dir+0x296/0xb20\n[  667.125076][ T9805]  __x64_sys_getdents64+0x13c/0x2c0\n[  667.125084][ T9805]  ? __pfx___x64_sys_getdents64+0x10/0x10\n[  667.125091][ T9805]  ? __x64_sys_openat+0x141/0x200\n[  667.125126][ T9805]  ? __pfx_filldir64+0x10/0x10\n[  667.125134][ T9805]  ? do_user_addr_fault+0x7fe/0x12f0\n[  667.125143][ T9805]  do_syscall_64+0xc9/0x480\n[  667.125151][ T9805]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[  667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9\n[  667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48\n[  667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9\n[  667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9\n[  667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004\n[  667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110\n[  667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260\n[  667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[  667.125207][ T9805]  \u003c/TASK\u003e\n[  667.125210][ T9805]\n[  667.145632][ T9805] Allocated by task 9805:\n[  667.145991][ T9805]  kasan_save_stack+0x20/0x40\n[  667.146352][ T9805]  kasan_save_track+0x14/0x30\n[  667.146717][ T9805]  __kasan_kmalloc+0xaa/0xb0\n[  667.147065][ T9805]  __kmalloc_noprof+0x205/0x550\n[  667.147448][ T9805]  hfsplus_find_init+0x95/0x1f0\n[  667.147813][ T9805]  hfsplus_readdir+0x220/0xfc0\n[  667.148174][ T9805]  iterate_dir+0x296/0xb20\n[  667.148549][ T9805]  __x64_sys_getdents64+0x13c/0x2c0\n[  667.148937][ T9805]  do_syscall_64+0xc9/0x480\n[  667.149291][ T9805]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[  667.149809][ T9805]\n[  667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000\n[  667.150030][ T9805]  which belongs to the cache kmalloc-2k of size 2048\n[  667.151282][ T9805] The buggy address is located 0 bytes to the right of\n[  667.151282][ T9805]  allocated 1036-byte region [ffff88802592f000, ffff88802592f40c)\n[  667.1\n---truncated---","modified":"2026-04-16T04:32:09.512904361Z","published":"2025-09-04T15:33:03.464Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03613-1","SUSE-SU-2025:03614-1","SUSE-SU-2025:03615-1","SUSE-SU-2025:03626-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:3761-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1","SUSE-SU-2025:4315-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38713.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/13604b1d7e7b125fb428cddbec6b8d92baad25d5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1ca69007e52a73bd8b84b988b61b319816ca8b01"},{"type":"WEB","url":"https://git.kernel.org/stable/c/291bb5d931c6f3cd7227b913302a17be21cf53b0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/73f7da507d787b489761a0fa280716f84fa32b2f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/76a4c6636a69d69409aa253b049b1be717a539c5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/94458781aee6045bd3d0ad4b80b02886b9e2219b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ccf0ad56a779e6704c0b27f555dec847f50c7557"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38713.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38713"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2"},{"fixed":"73f7da507d787b489761a0fa280716f84fa32b2f"},{"fixed":"76a4c6636a69d69409aa253b049b1be717a539c5"},{"fixed":"ccf0ad56a779e6704c0b27f555dec847f50c7557"},{"fixed":"13604b1d7e7b125fb428cddbec6b8d92baad25d5"},{"fixed":"291bb5d931c6f3cd7227b913302a17be21cf53b0"},{"fixed":"f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee"},{"fixed":"6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9"},{"fixed":"1ca69007e52a73bd8b84b988b61b319816ca8b01"},{"fixed":"94458781aee6045bd3d0ad4b80b02886b9e2219b"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38713.json"}}],"schema_version":"1.7.5"}