{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-38710", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.033Z", "datePublished": "2025-09-04T15:33:00.629Z", "dateUpdated": "2026-05-11T21:33:29.320Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:33:29.320Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Validate i_depth for exhash directories\n\nA fuzzer test introduced corruption that ends up with a depth of 0 in\ndir_e_read(), causing an undefined shift by 32 at:\n\n index = hash >> (32 - dip->i_depth);\n\nAs calculated in an open-coded way in dir_make_exhash(), the minimum\ndepth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is\ninvalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time.\n\nSo we can avoid the undefined behaviour by checking for depth values\nlower than the minimum in gfs2_dinode_in(). Values greater than the\nmaximum are already being checked for there.\n\nAlso switch the calculation in dir_make_exhash() to use ilog2() to\nclarify how the depth is calculated.\n\nTested with the syzkaller repro.c and xfstests '-g quick'."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/gfs2/dir.c", "fs/gfs2/glops.c"], "versions": [{"version": "9a0045088d888c9c539c8c626a366cb52c0fbdab", "lessThan": "cddea0c721106ea480371412d8de21705eb27376", "status": "affected", "versionType": "git"}, {"version": "9a0045088d888c9c539c8c626a366cb52c0fbdab", "lessThan": "53a0249d68a210c16e961b83adfa82f94ee0a53d", "status": "affected", "versionType": "git"}, {"version": "9a0045088d888c9c539c8c626a366cb52c0fbdab", "lessThan": "b5f46951e62377b6e406fadc18bc3c5bdf1632a7", "status": "affected", "versionType": "git"}, {"version": "9a0045088d888c9c539c8c626a366cb52c0fbdab", "lessThan": "9680c58675b82348ab84d387e4fa727f7587e1a0", "status": "affected", "versionType": "git"}, {"version": "9a0045088d888c9c539c8c626a366cb52c0fbdab", "lessThan": "557c024ca7250bb65ae60f16c02074106c2f197b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/gfs2/dir.c", "fs/gfs2/glops.c"], "versions": [{"version": "2.6.26", "status": "affected"}, {"version": "0", "lessThan": "2.6.26", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.134", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.43", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.11", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.2", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.6.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.12.43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.15.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.16.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cddea0c721106ea480371412d8de21705eb27376"}, {"url": "https://git.kernel.org/stable/c/53a0249d68a210c16e961b83adfa82f94ee0a53d"}, {"url": "https://git.kernel.org/stable/c/b5f46951e62377b6e406fadc18bc3c5bdf1632a7"}, {"url": "https://git.kernel.org/stable/c/9680c58675b82348ab84d387e4fa727f7587e1a0"}, {"url": "https://git.kernel.org/stable/c/557c024ca7250bb65ae60f16c02074106c2f197b"}], "title": "gfs2: Validate i_depth for exhash directories", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1936DB45-ECC5-4A1A-A924-0D4E14DFE578", "versionEndExcluding": "6.12.43", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC242347-F722-43AE-B910-BE0B22386977", "versionEndExcluding": "6.15.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD7C087D-2415-4521-B624-30003352F899", "versionEndExcluding": "6.16.2", "versionStartIncluding": "6.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Validate i_depth for exhash directories\n\nA fuzzer test introduced corruption that ends up with a depth of 0 in\ndir_e_read(), causing an undefined shift by 32 at:\n\n index = hash >> (32 - dip->i_depth);\n\nAs calculated in an open-coded way in dir_make_exhash(), the minimum\ndepth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is\ninvalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time.\n\nSo we can avoid the undefined behaviour by checking for depth values\nlower than the minimum in gfs2_dinode_in(). Values greater than the\nmaximum are already being checked for there.\n\nAlso switch the calculation in dir_make_exhash() to use ilog2() to\nclarify how the depth is calculated.\n\nTested with the syzkaller repro.c and xfstests '-g quick'."}], "id": "CVE-2025-38710", "lastModified": "2026-04-11T13:16:35.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-09-04T16:15:40.137", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/53a0249d68a210c16e961b83adfa82f94ee0a53d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/557c024ca7250bb65ae60f16c02074106c2f197b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9680c58675b82348ab84d387e4fa727f7587e1a0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b5f46951e62377b6e406fadc18bc3c5bdf1632a7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cddea0c721106ea480371412d8de21705eb27376"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: gfs2: Validate i_depth for exhash directories", "id": "2393213", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393213"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-38710", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-09-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38710\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38710\nhttps://lore.kernel.org/linux-cve-announce/2025090456-CVE-2025-38710-1b60@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-20T21:54:41.152691+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the commit fixing the GFS2 depth validation bug (see commit 53a0249d68a210c16e961b83adfa82f94ee0a53d).", "Reboot the system into the updated kernel to apply the patch and ensure the filesystem is active with the new code path. ", "If an immediate kernel upgrade cannot be performed, remount any GFS2 volumes in read\u2011only mode or disable GFS2 usage to prevent the vulnerable code from executing."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected systems encompass all Linux kernel releases that contain the GFS2 filesystem implementation where this bug exists. No specific version ranges are documented in the available data, indicating that any kernel incorporating the unpatched code path could be vulnerable. Administrators should assess whether their installations use GFS2 and if they run a kernel version before the identified commit.", "description_and_impact": "The vulnerability arises from an undefined shift operation in the GFS2 filesystem code when an exhash directory has a depth of zero. The calculation index = hash >> (32 - dip->i_depth); fails when i_depth equals zero, causing a shift of 32 bits and undefined behaviour. This flaw can lead to memory corruption or a kernel panic, effectively resulting in a denial\u2011of\u2011service condition. The attack is likely local or requires privileged access to manipulate GFS2 directory structures, as the code that triggers the bug is only executed during filesystem operations. The fault is a weakness in input validation and calculation logic, which can be exploited when an attacker forces the depth to an illegal value.", "risk_and_exploitability": "Risk and exploitability assessment shows a CVSS score of 5.5, placing the vulnerability in a moderate severity range. The EPSS score is less than 1\u202f%, implying a very low current exploitation probability, and the issue is not listed in CISA\u2019s KEV catalog. The primary vector remains a local, privileged attack; however, if a process with the ability to perform privileged filesystem operations is compromised, the adversary could trigger a crash. The updated kernel mitigates the undefined behavior by validating depth values in gfs2_dinode_in() and recalculating the depth with ilog2()."}}}}, "created": "2025-09-05T14:02:36.064010+00:00", "updated": "2026-04-20T22:00:11.217314+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-795", "CWE-190"]}