CVE-2025-21782
Published: 27 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: orangefs: fix a oob in orangefs_debug_write I got a syzbot report: slab-out-of-bounds Read in orangefs_debug_write... several people suggested fixes, I tested Al Viro's suggestion and made this patch.
Security Summary
CVE-2025-21782 is a slab-out-of-bounds read vulnerability in the orangefs_debug_write function within the OrangeFS filesystem implementation of the Linux kernel. Discovered via a syzbot report, the issue allows out-of-bounds memory access during debug write operations. It is classified under CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H), indicating high severity due to impacts on confidentiality and availability.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables reading sensitive out-of-bounds kernel memory, potentially leaking confidential data, and triggering a denial of service through kernel crashes or instability, without affecting integrity or escalating privileges beyond the local scope.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, including 09d472a18c0ee1d5b83612cb919e33a1610fea16, 18b7f841109f697840fe8633cf7ed7d32bd3f91b, 1c5244299241cf49d8ae7b5054e299cc8faa4e09, 1da2697307dad281dd690a19441b5ca4af92d786, and 2b84a231910cef2e0a16d29294afabfb69112087. Security practitioners should update affected Linux kernel versions supporting OrangeFS to incorporate these fixes.
Details
- CWE(s)