{"id":"CVE-2025-40088","summary":"hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()\n\nThe hfsplus_strcasecmp() logic can trigger the issue:\n\n[  117.317703][ T9855] ==================================================================\n[  117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490\n[  117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855\n[  117.319577][ T9855]\n[  117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full)\n[  117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[  117.319783][ T9855] Call Trace:\n[  117.319785][ T9855]  \u003cTASK\u003e\n[  117.319788][ T9855]  dump_stack_lvl+0x1c1/0x2a0\n[  117.319795][ T9855]  ? __virt_addr_valid+0x1c8/0x5c0\n[  117.319803][ T9855]  ? __pfx_dump_stack_lvl+0x10/0x10\n[  117.319808][ T9855]  ? rcu_is_watching+0x15/0xb0\n[  117.319816][ T9855]  ? lock_release+0x4b/0x3e0\n[  117.319821][ T9855]  ? __kasan_check_byte+0x12/0x40\n[  117.319828][ T9855]  ? __virt_addr_valid+0x1c8/0x5c0\n[  117.319835][ T9855]  ? __virt_addr_valid+0x4a5/0x5c0\n[  117.319842][ T9855]  print_report+0x17e/0x7e0\n[  117.319848][ T9855]  ? __virt_addr_valid+0x1c8/0x5c0\n[  117.319855][ T9855]  ? __virt_addr_valid+0x4a5/0x5c0\n[  117.319862][ T9855]  ? __phys_addr+0xd3/0x180\n[  117.319869][ T9855]  ? hfsplus_strcasecmp+0x1bc/0x490\n[  117.319876][ T9855]  kasan_report+0x147/0x180\n[  117.319882][ T9855]  ? hfsplus_strcasecmp+0x1bc/0x490\n[  117.319891][ T9855]  hfsplus_strcasecmp+0x1bc/0x490\n[  117.319900][ T9855]  ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10\n[  117.319906][ T9855]  hfs_find_rec_by_key+0xa9/0x1e0\n[  117.319913][ T9855]  __hfsplus_brec_find+0x18e/0x470\n[  117.319920][ T9855]  ? __pfx_hfsplus_bnode_find+0x10/0x10\n[  117.319926][ T9855]  ? __pfx_hfs_find_rec_by_key+0x10/0x10\n[  117.319933][ T9855]  ? __pfx___hfsplus_brec_find+0x10/0x10\n[  117.319942][ T9855]  hfsplus_brec_find+0x28f/0x510\n[  117.319949][ T9855]  ? __pfx_hfs_find_rec_by_key+0x10/0x10\n[  117.319956][ T9855]  ? __pfx_hfsplus_brec_find+0x10/0x10\n[  117.319963][ T9855]  ? __kmalloc_noprof+0x2a9/0x510\n[  117.319969][ T9855]  ? hfsplus_find_init+0x8c/0x1d0\n[  117.319976][ T9855]  hfsplus_brec_read+0x2b/0x120\n[  117.319983][ T9855]  hfsplus_lookup+0x2aa/0x890\n[  117.319990][ T9855]  ? __pfx_hfsplus_lookup+0x10/0x10\n[  117.320003][ T9855]  ? d_alloc_parallel+0x2f0/0x15e0\n[  117.320008][ T9855]  ? __lock_acquire+0xaec/0xd80\n[  117.320013][ T9855]  ? __pfx_d_alloc_parallel+0x10/0x10\n[  117.320019][ T9855]  ? __raw_spin_lock_init+0x45/0x100\n[  117.320026][ T9855]  ? __init_waitqueue_head+0xa9/0x150\n[  117.320034][ T9855]  __lookup_slow+0x297/0x3d0\n[  117.320039][ T9855]  ? __pfx___lookup_slow+0x10/0x10\n[  117.320045][ T9855]  ? down_read+0x1ad/0x2e0\n[  117.320055][ T9855]  lookup_slow+0x53/0x70\n[  117.320065][ T9855]  walk_component+0x2f0/0x430\n[  117.320073][ T9855]  path_lookupat+0x169/0x440\n[  117.320081][ T9855]  filename_lookup+0x212/0x590\n[  117.320089][ T9855]  ? __pfx_filename_lookup+0x10/0x10\n[  117.320098][ T9855]  ? strncpy_from_user+0x150/0x290\n[  117.320105][ T9855]  ? getname_flags+0x1e5/0x540\n[  117.320112][ T9855]  user_path_at+0x3a/0x60\n[  117.320117][ T9855]  __x64_sys_umount+0xee/0x160\n[  117.320123][ T9855]  ? __pfx___x64_sys_umount+0x10/0x10\n[  117.320129][ T9855]  ? do_syscall_64+0xb7/0x3a0\n[  117.320135][ T9855]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[  117.320141][ T9855]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[  117.320145][ T9855]  do_syscall_64+0xf3/0x3a0\n[  117.320150][ T9855]  ? exc_page_fault+0x9f/0xf0\n[  117.320154][ T9855]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[  117.320158][ T9855] RIP: 0033:0x7f7dd7908b07\n[  117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08\n[  117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 \n---truncated---","modified":"2026-04-16T04:37:05.589346709Z","published":"2025-10-30T09:47:57.333Z","related":["SUSE-SU-2025:21040-1","SUSE-SU-2025:21052-1","SUSE-SU-2025:21056-1","SUSE-SU-2025:21064-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4111-1","SUSE-SU-2025:4128-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4139-1","SUSE-SU-2025:4140-1","SUSE-SU-2025:4141-1","SUSE-SU-2025:4189-1","SUSE-SU-2025:4301-1","SUSE-SU-2026:0473-1","openSUSE-SU-2025:15702-1","openSUSE-SU-2026:10301-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40088.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/42520df65bf67189541a425f7d36b0b3e7bd7844"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4bc081ba6c52b0c88c92701e3fbc33c7e2277afb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4f5ab4a9c6abd8b0d713cc2b7b041bc10d70f241"},{"type":"WEB","url":"https://git.kernel.org/stable/c/586c75dfd1d265c4150f6529debb85c9d62e101f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/603158d4efa98a13a746bd586c20f194f4a31ec8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7ab44236b32ed41eb0636797e8e8e885a2f3b18a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b47a75b6f762321f9eb6f31aab7bce47a37063b7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ef250c3edd995d7bb5a5e5122ffad1c28a8686eb"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40088.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40088"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2"},{"fixed":"603158d4efa98a13a746bd586c20f194f4a31ec8"},{"fixed":"ef250c3edd995d7bb5a5e5122ffad1c28a8686eb"},{"fixed":"7ab44236b32ed41eb0636797e8e8e885a2f3b18a"},{"fixed":"b47a75b6f762321f9eb6f31aab7bce47a37063b7"},{"fixed":"4f5ab4a9c6abd8b0d713cc2b7b041bc10d70f241"},{"fixed":"586c75dfd1d265c4150f6529debb85c9d62e101f"},{"fixed":"4bc081ba6c52b0c88c92701e3fbc33c7e2277afb"},{"fixed":"42520df65bf67189541a425f7d36b0b3e7bd7844"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40088.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.12"},{"fixed":"5.4.301"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.246"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.196"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.158"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.114"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.55"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.5"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40088.json"}}],"schema_version":"1.7.5"}