{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-06T07:49:38.556","vulnerabilities":[{"cve":{"id":"CVE-2025-39735","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-04-18T07:15:44.150","lastModified":"2025-11-03T20:18:47.320","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix slab-out-of-bounds read in ea_get()\n\nDuring the \"size_check\" label in ea_get(), the code checks if the extended\nattribute list (xattr) size matches ea_size. If not, it logs\n\"ea_get: invalid extended attribute\" and calls print_hex_dump().\n\nHere, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds\nINT_MAX (2,147,483,647). Then ea_size is clamped:\n\n\tint size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));\n\nAlthough clamp_t aims to bound ea_size between 0 and 4110417968, the upper\nlimit is treated as an int, causing an overflow above 2^31 - 1. This leads\n\"size\" to wrap around and become negative (-184549328).\n\nThe \"size\" is then passed to print_hex_dump() (called \"len\" in\nprint_hex_dump()), it is passed as type size_t (an unsigned\ntype), this is then stored inside a variable called\n\"int remaining\", which is then assigned to \"int linelen\" which\nis then passed to hex_dump_to_buffer(). In print_hex_dump()\nthe for loop, iterates through 0 to len-1, where len is\n18446744073525002176, calling hex_dump_to_buffer()\non each iteration:\n\n\tfor (i = 0; i < len; i += rowsize) {\n\t\tlinelen = min(remaining, rowsize);\n\t\tremaining -= rowsize;\n\n\t\thex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,\n\t\t\t\t linebuf, sizeof(linebuf), ascii);\n\n\t\t...\n\t}\n\nThe expected stopping condition (i < len) is effectively broken\nsince len is corrupted and very large. This eventually leads to\nthe \"ptr+i\" being passed to hex_dump_to_buffer() to get closer\nto the end of the actual bounds of \"ptr\", eventually an out of\nbounds access is done in hex_dump_to_buffer() in the following\nfor loop:\n\n\tfor (j = 0; j < len; j++) {\n\t\t\tif (linebuflen < lx + 2)\n\t\t\t\tgoto overflow2;\n\t\t\tch = ptr[j];\n\t\t...\n\t}\n\nTo fix this we should validate \"EALIST_SIZE(ea_buf->xattr)\"\nbefore it is utilised."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jfs: corrección de lectura fuera de los límites de slab en ea_get(). Durante la etiqueta \"size_check\" en ea_get(), el código comprueba si el tamaño de la lista de atributos extendidos (xattr) coincide con ea_size. De lo contrario, registra \"ea_get: atributo extendido no válido\" y llama a print_hex_dump(). En este caso, EALIST_SIZE(ea_buf->xattr) devuelve 4110417968, que excede INT_MAX (2147483647). A continuación, se fija ea_size: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Aunque clamp_t busca limitar ea_size entre 0 y 4110417968, el límite superior se trata como un entero, lo que provoca un desbordamiento por encima de 2^31 - 1. Esto hace que \"size\" se repita y se vuelva negativo (-184549328). El \"size\" se pasa a print_hex_dump() (llamado \"len\" en print_hex_dump()) como tipo size_t (un tipo sin signo). Este se almacena en una variable llamada \"int remaining\", que se asigna a \"int linelen\", que a su vez se pasa a hex_dump_to_buffer(). En print_hex_dump(), el bucle for itera desde 0 hasta len-1, donde len es 18446744073525002176 y llama a hex_dump_to_buffer() en cada iteración: for (i = 0; i < len; i += rowsize) { linelen = min(remaining, rowsize); remaining -= rowsize; hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii); ... } La condición de detención esperada (i < len) se rompe efectivamente ya que len está dañado y es muy grande. Esto eventualmente lleva a que \"ptr+i\" se pase a hex_dump_to_buffer() para acercarse al final de los límites reales de \"ptr\", eventualmente se realiza un acceso fuera de los límites en hex_dump_to_buffer() en el siguiente bucle for: for (j = 0; j < len; j++) { if (linebuflen < lx + 2) goto overflow2; ch = ptr[j]; ... } Para solucionar esto debemos validar \"EALIST_SIZE(ea_buf->xattr)\" antes de utilizarlo."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.325","versionEndExcluding":"4.20","matchCriteriaId":"3C960EB7-4E90-49E0-BB92-BE6F1B8CF26F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.287","versionEndExcluding":"5.4.292","matchCriteriaId":"16E1C46D-7C0B-4307-928A-8D0ABDF8D1B8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.231","versionEndExcluding":"5.10.236","matchCriteriaId":"8F0C4A9A-87C3-4779-923D-5E19C9A26EA9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.174","versionEndExcluding":"5.15.180","matchCriteriaId":"B6B383DC-5ED6-4326-885D-2F161A71E2D5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.120","versionEndExcluding":"6.1.134","matchCriteriaId":"B9344B2D-88D1-4540-9748-8CC37D3B25C8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.64","versionEndExcluding":"6.6.87","matchCriteriaId":"042FFA18-3C6A-4999-AB8F-4F6F5902BEEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11.11","versionEndExcluding":"6.12","matchCriteriaId":"4CBF5F6E-D446-4CAE-AAA4-413442319824"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.2","versionEndExcluding":"6.12.23","matchCriteriaId":"B5C71FC9-A61C-431A-9215-38D09F5A2FF3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.11","matchCriteriaId":"E7E864B0-8C00-4679-BA55-659B4C9C3AD3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.14.2","matchCriteriaId":"FADAE5D8-4808-442C-B218-77B2CE8780A0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0beddc2a3f9b9cf7d8887973041e36c2d0fa3652","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/16d3d36436492aa248b2d8045e75585ebcc2f34d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3d6fd5b9c6acbc005e53d0211c7381f566babec1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/46e2c031aa59ea65128991cbca474bd5c0c2ecdb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/50afcee7011155933d8d5e8832f52eeee018cfd3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5263822558a8a7c0d0248d5679c2dcf4d5cda61f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/78c9cbde8880ec02d864c166bcb4fe989ce1d95f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a8c31808925b11393a6601f534bb63bac5366bab","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fdf480da5837c23b146c4743c18de97202fcab37","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}