{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68237", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-16T13:41:40.258Z", "datePublished": "2025-12-16T14:08:30.940Z", "dateUpdated": "2026-05-11T21:49:29.135Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:49:29.135Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtdchar: fix integer overflow in read/write ioctls\n\nThe \"req.start\" and \"req.len\" variables are u64 values that come from the\nuser at the start of the function. We mask away the high 32 bits of\n\"req.len\" so that's capped at U32_MAX but the \"req.start\" variable can go\nup to U64_MAX which means that the addition can still integer overflow.\n\nUse check_add_overflow() to fix this bug."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/mtd/mtdchar.c"], "versions": [{"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83", "lessThan": "f37efdd97fd1ec3e0d0f1eec279c8279e28f981e", "status": "affected", "versionType": "git"}, {"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83", "lessThan": "457376c6fbf0c69326a9bf1f72416225f681192b", "status": "affected", "versionType": "git"}, {"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83", "lessThan": "eb9361484814fb12f3b7544b33835ea67d7a6a97", "status": "affected", "versionType": "git"}, {"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83", "lessThan": "37944f4f8199cd153fef74e95ca268020162f212", "status": "affected", "versionType": "git"}, {"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83", "lessThan": "e4185bed738da755b191aa3f2e16e8b48450e1b8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/mtd/mtdchar.c"], "versions": [{"version": "5.17", "status": "affected"}, {"version": "0", "lessThan": "5.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.159", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.118", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.60", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.10", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.1.159"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.6.118"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.12.60"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.17.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f37efdd97fd1ec3e0d0f1eec279c8279e28f981e"}, {"url": "https://git.kernel.org/stable/c/457376c6fbf0c69326a9bf1f72416225f681192b"}, {"url": "https://git.kernel.org/stable/c/eb9361484814fb12f3b7544b33835ea67d7a6a97"}, {"url": "https://git.kernel.org/stable/c/37944f4f8199cd153fef74e95ca268020162f212"}, {"url": "https://git.kernel.org/stable/c/e4185bed738da755b191aa3f2e16e8b48450e1b8"}], "title": "mtdchar: fix integer overflow in read/write ioctls", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtdchar: fix integer overflow in read/write ioctls\n\nThe \"req.start\" and \"req.len\" variables are u64 values that come from the\nuser at the start of the function. We mask away the high 32 bits of\n\"req.len\" so that's capped at U32_MAX but the \"req.start\" variable can go\nup to U64_MAX which means that the addition can still integer overflow.\n\nUse check_add_overflow() to fix this bug."}], "id": "CVE-2025-68237", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2025-12-16T14:15:58.850", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/37944f4f8199cd153fef74e95ca268020162f212"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/457376c6fbf0c69326a9bf1f72416225f681192b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e4185bed738da755b191aa3f2e16e8b48450e1b8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/eb9361484814fb12f3b7544b33835ea67d7a6a97"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f37efdd97fd1ec3e0d0f1eec279c8279e28f981e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: mtdchar: fix integer overflow in read/write ioctls", "id": "2422753", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2422753"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-68237", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68237\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68237\nhttps://lore.kernel.org/linux-cve-announce/2025121635-CVE-2025-68237-7f03@gregkh/T"], "threat_severity": "Low"}

{}