CVE-2025-0927 - Vulnerability Details

Description

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Filesystem bugs due to corrupt images are not considered a CVE for any filesystem that is only mountable by CAP_SYS_ADMIN in the initial user namespace. That includes delegated mounting.

Published: 2025-03-23

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-7315	In the Linux kernel, the following vulnerability has been found: A heap overflow in the hfs and hfsplus filesystems can happen if a user mounts a manually crafted filesystem. At this point in time, it is not fixed in any released kernel version, this is a stop-gap report to notify that kernel.org is now the owner of this CVE id. The Linux kernel CVE team has been assigned CVE-2025-0927 as it was incorrectly created by a different CNA that really should have known better to not have done this.to this issue.
Ubuntu USN	USN-7276-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7288-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7288-2	Linux kernel vulnerabilities
Ubuntu USN	USN-7293-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7296-1	Linux kernel vulnerability
Ubuntu USN	USN-7298-1	Linux kernel vulnerability
Ubuntu USN	USN-7300-1	Linux kernel vulnerability
Ubuntu USN	USN-7301-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7310-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7323-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7323-2	Linux kernel vulnerabilities
Ubuntu USN	USN-7325-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7325-2	Linux kernel vulnerabilities
Ubuntu USN	USN-7325-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7326-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7328-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7328-2	Linux kernel vulnerabilities
Ubuntu USN	USN-7328-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7329-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7331-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7332-2	Linux kernel vulnerabilities
Ubuntu USN	USN-7344-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7344-2	Linux kernel vulnerabilities
Ubuntu USN	USN-7381-1	Linux kernel (Low Latency) vulnerabilities
Ubuntu USN	USN-7384-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7384-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7385-1	Linux kernel (IBM) vulnerabilities
Ubuntu USN	USN-7386-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-7388-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7389-1	Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN	USN-7390-1	Linux kernel (Xilinx ZynqMP) vulnerabilities
Ubuntu USN	USN-7392-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7392-2	Linux kernel vulnerabilities
Ubuntu USN	USN-7392-3	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7392-4	Linux kernel (AWS FIPS) vulnerabilities
Ubuntu USN	USN-7393-1	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-7401-1	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7403-1	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-7413-1	Linux kernel (IoT) vulnerabilities
Ubuntu USN	USN-7458-1	Linux kernel (IBM) vulnerabilities
Ubuntu USN	USN-7463-1	Linux kernel (IBM) vulnerabilities
Ubuntu USN	USN-7468-1	Linux kernel (Azure, N-Series) vulnerabilities
Ubuntu USN	USN-7539-1	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7540-1	Linux kernel (Raspberry Pi) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://lore.kernel.org/linux-cve-announce/2025033057-CVE-2025-0927-1436@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-0927
https://www.cve.org/CVERecord?id=CVE-2025-0927

History

Wed, 18 Jun 2025 16:00:00 +0000

Type	Values Removed	Values Added
Metrics	threat_severity `Moderate`	threat_severity `None`

Tue, 08 Apr 2025 09:15:00 +0000

Type	Values Removed	Values Added
References	https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Tue, 08 Apr 2025 08:45:00 +0000

Type	Values Removed	Values Added
References	https://ubuntu.com/security/CVE-2025-0927 https://ubuntu.com/security/notices/USN-7276-1 https://www.kernel.org/

Tue, 08 Apr 2025 08:15:00 +0000

Type	Values Removed	Values Added
Description	In the Linux kernel, the following vulnerability has been found: A heap overflow in the hfs and hfsplus filesystems can happen if a user mounts a manually crafted filesystem. At this point in time, it is not fixed in any released kernel version, this is a stop-gap report to notify that kernel.org is now the owner of this CVE id. The Linux kernel CVE team has been assigned CVE-2025-0927 as it was incorrectly created by a different CNA that really should have known better to not have done this.to this issue.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Filesystem bugs due to corrupt images are not considered a CVE for any filesystem that is only mountable by CAP_SYS_ADMIN in the initial user namespace. That includes delegated mounting.

Wed, 02 Apr 2025 14:00:00 +0000

Type	Values Removed	Values Added
Title		kernel: heap overflow in the hfs and hfsplus filesystems with manually crafted filesystem
References		https://lore.kernel.org/linux-cve-announce/2025033057-CVE-2025-0927-1436@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-0927 https://www.cve.org/CVERecord?id=CVE-2025-0927
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 31 Mar 2025 15:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-122

Mon, 31 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 31 Mar 2025 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-122

Mon, 31 Mar 2025 08:15:00 +0000

Type	Values Removed	Values Added
Title	HFS+ filesystem heap overflow

Sun, 30 Mar 2025 20:15:00 +0000

Type	Values Removed	Values Added
Title		HFS+ filesystem heap overflow

Sun, 30 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Title	HFS+ filesystem heap overflow
Metrics	cvssV4_0 `{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

Sun, 30 Mar 2025 19:00:00 +0000

Type	Values Removed	Values Added
Description	Attila Szász discovered that the HFS+ file system implementation in the Linux Kernel contained a heap overflow vulnerability. An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code.	In the Linux kernel, the following vulnerability has been found: A heap overflow in the hfs and hfsplus filesystems can happen if a user mounts a manually crafted filesystem. At this point in time, it is not fixed in any released kernel version, this is a stop-gap report to notify that kernel.org is now the owner of this CVE id. The Linux kernel CVE team has been assigned CVE-2025-0927 as it was incorrectly created by a different CNA that really should have known better to not have done this.to this issue.
References		https://www.kernel.org/
Metrics		cvssV4_0 `{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

Tue, 25 Mar 2025 14:15:00 +0000

Type	Values Removed	Values Added
References		https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 24 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sun, 23 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Description		Attila Szász discovered that the HFS+ file system implementation in the Linux Kernel contained a heap overflow vulnerability. An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code.
Title		HFS+ filesystem heap overflow
Weaknesses		CWE-787
References		https://ubuntu.com/security/CVE-2025-0927 https://ubuntu.com/security/notices/USN-7276-1
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: REJECTED

Assigner: canonical

Published: 2025-03-23T15:00:47.770Z

Updated: 2026-01-22T16:58:46.079Z

Reserved: 2025-01-31T10:42:56.521Z

Link: CVE-2025-0927

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2025-03-23T15:15:12.537

Modified: 2025-04-08T08:15:14.863

Link: CVE-2025-0927

Redhat

Severity :

Publid Date: 2025-03-30T00:00:00Z

Links: CVE-2025-0927 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-787

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object