{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40306","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.185Z","datePublished":"2025-12-08T00:46:31.514Z","dateUpdated":"2026-05-11T21:46:48.180Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:46:48.180Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: fix xattr related buffer overflow...\n\nWilly Tarreau <w@1wt.eu> forwarded me a message from\nDisclosure <disclosure@aisle.com> with the following\nwarning:\n\n> The helper `xattr_key()` uses the pointer variable in the loop condition\n> rather than dereferencing it. As `key` is incremented, it remains non-NULL\n> (until it runs into unmapped memory), so the loop does not terminate on\n> valid C strings and will walk memory indefinitely, consuming CPU or hanging\n> the thread.\n\nI easily reproduced this with setfattr and getfattr, causing a kernel\noops, hung user processes and corrupted orangefs files. Disclosure\nsent along a diff (not a patch) with a suggested fix, which I based\nthis patch on.\n\nAfter xattr_key started working right, xfstest generic/069 exposed an\nxattr related memory leak that lead to OOM. xattr_key returns\na hashed key.  When adding xattrs to the orangefs xattr cache, orangefs\nused hash_add, a kernel hashing macro. hash_add also hashes the key using\nhash_log which resulted in additions to the xattr cache going to the wrong\nhash bucket. generic/069 tortures a single file and orangefs does a\ngetattr for the xattr \"security.capability\" every time. Orangefs\nnegative caches on xattrs which includes a kmalloc. Since adds to the\nxattr cache were going to the wrong bucket, every getattr for\n\"security.capability\" resulted in another kmalloc, none of which were\never freed.\n\nI changed the two uses of hash_add to hlist_add_head instead\nand the memory leak ceased and generic/069 quit throwing furniture."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/orangefs/xattr.c"],"versions":[{"version":"f7ab093f74bf638ed98fd1115f3efa17e308bb7f","lessThan":"c6564ff6b53c9a8dc786b6f1c51ae7688273f931","status":"affected","versionType":"git"},{"version":"f7ab093f74bf638ed98fd1115f3efa17e308bb7f","lessThan":"ef892d2bf4f3fa2c8de1677dd307e678bdd3d865","status":"affected","versionType":"git"},{"version":"f7ab093f74bf638ed98fd1115f3efa17e308bb7f","lessThan":"15afebb9597449c444801d1ff0b8d8b311f950ab","status":"affected","versionType":"git"},{"version":"f7ab093f74bf638ed98fd1115f3efa17e308bb7f","lessThan":"bc812574de633cf9a9ad6974490e45f6a4bb5126","status":"affected","versionType":"git"},{"version":"f7ab093f74bf638ed98fd1115f3efa17e308bb7f","lessThan":"e09a096104fc65859422817fb2211f35855983fe","status":"affected","versionType":"git"},{"version":"f7ab093f74bf638ed98fd1115f3efa17e308bb7f","lessThan":"9127d1e90c90e5960c8bc72a4ce2c209691a7021","status":"affected","versionType":"git"},{"version":"f7ab093f74bf638ed98fd1115f3efa17e308bb7f","lessThan":"c2ca015ac109fd743fdde27933d59dc5ad46658e","status":"affected","versionType":"git"},{"version":"f7ab093f74bf638ed98fd1115f3efa17e308bb7f","lessThan":"025e880759c279ec64d0f754fe65bf45961da864","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/orangefs/xattr.c"],"versions":[{"version":"4.6","status":"affected"},{"version":"0","lessThan":"4.6","status":"unaffected","versionType":"semver"},{"version":"5.4.302","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.247","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.197","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.159","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.117","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.58","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.8","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"5.4.302"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"5.10.247"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"5.15.197"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.1.159"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.6.117"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.12.58"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.17.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c6564ff6b53c9a8dc786b6f1c51ae7688273f931"},{"url":"https://git.kernel.org/stable/c/ef892d2bf4f3fa2c8de1677dd307e678bdd3d865"},{"url":"https://git.kernel.org/stable/c/15afebb9597449c444801d1ff0b8d8b311f950ab"},{"url":"https://git.kernel.org/stable/c/bc812574de633cf9a9ad6974490e45f6a4bb5126"},{"url":"https://git.kernel.org/stable/c/e09a096104fc65859422817fb2211f35855983fe"},{"url":"https://git.kernel.org/stable/c/9127d1e90c90e5960c8bc72a4ce2c209691a7021"},{"url":"https://git.kernel.org/stable/c/c2ca015ac109fd743fdde27933d59dc5ad46658e"},{"url":"https://git.kernel.org/stable/c/025e880759c279ec64d0f754fe65bf45961da864"}],"title":"orangefs: fix xattr related buffer overflow...","x_generator":{"engine":"bippy-1.2.0"}}}}