CVE-2025-40205
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-11-14

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT (10 dwords, 40 bytes). If *max_len is not large enough, this write goes out of bounds because BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than BTRFS_FID_SIZE_CONNECTABLE originally returned. This results in an 8-byte out-of-bounds write at fid->parent_root_objectid = parent_root_id. A previous attempt to fix this issue was made but was lost. https://lore.kernel.org/all/[email protected]/ Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-11-14
Generated
2026-06-16
AI Q&A
2025-11-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-40205
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is in the Linux kernel's btrfs filesystem code, specifically in the function btrfs_encode_fh(). The function does not properly handle three different cases when encoding a file handle, leading to a situation where it can write more data than the buffer size allows. This causes an 8-byte out-of-bounds write, which is a form of memory corruption. The issue arises because the function sometimes writes 40 bytes but only indicates a smaller size (20 or 32 bytes), so if the buffer is not large enough, it overwrites memory beyond its boundary.

Impact Analysis

This vulnerability can lead to memory corruption in the Linux kernel when using the btrfs filesystem. Although it is not easily triggerable, memory corruption bugs can potentially cause system instability, crashes, or be exploited to execute arbitrary code with kernel privileges, which could compromise system security.

Mitigation Strategies

The vulnerability is resolved by applying the patch that ensures the function btrfs_encode_fh() returns the appropriate size for all cases and validates the buffer size before writing. Immediate mitigation steps include updating the Linux kernel to a version that contains this fix to avoid potential out-of-bounds writes and memory corruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40205. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart