{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40351","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.187Z","datePublished":"2025-12-16T13:30:24.764Z","dateUpdated":"2026-05-11T21:47:41.349Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:47:41.349Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()\n\nThe syzbot reported issue in hfsplus_delete_cat():\n\n[   70.682285][ T9333] =====================================================\n[   70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220\n[   70.683640][ T9333]  hfsplus_subfolders_dec+0x1d7/0x220\n[   70.684141][ T9333]  hfsplus_delete_cat+0x105d/0x12b0\n[   70.684621][ T9333]  hfsplus_rmdir+0x13d/0x310\n[   70.685048][ T9333]  vfs_rmdir+0x5ba/0x810\n[   70.685447][ T9333]  do_rmdir+0x964/0xea0\n[   70.685833][ T9333]  __x64_sys_rmdir+0x71/0xb0\n[   70.686260][ T9333]  x64_sys_call+0xcd8/0x3cf0\n[   70.686695][ T9333]  do_syscall_64+0xd9/0x1d0\n[   70.687119][ T9333]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[   70.687646][ T9333]\n[   70.687856][ T9333] Uninit was stored to memory at:\n[   70.688311][ T9333]  hfsplus_subfolders_inc+0x1c2/0x1d0\n[   70.688779][ T9333]  hfsplus_create_cat+0x148e/0x1800\n[   70.689231][ T9333]  hfsplus_mknod+0x27f/0x600\n[   70.689730][ T9333]  hfsplus_mkdir+0x5a/0x70\n[   70.690146][ T9333]  vfs_mkdir+0x483/0x7a0\n[   70.690545][ T9333]  do_mkdirat+0x3f2/0xd30\n[   70.690944][ T9333]  __x64_sys_mkdir+0x9a/0xf0\n[   70.691380][ T9333]  x64_sys_call+0x2f89/0x3cf0\n[   70.691816][ T9333]  do_syscall_64+0xd9/0x1d0\n[   70.692229][ T9333]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[   70.692773][ T9333]\n[   70.692990][ T9333] Uninit was stored to memory at:\n[   70.693469][ T9333]  hfsplus_subfolders_inc+0x1c2/0x1d0\n[   70.693960][ T9333]  hfsplus_create_cat+0x148e/0x1800\n[   70.694438][ T9333]  hfsplus_fill_super+0x21c1/0x2700\n[   70.694911][ T9333]  mount_bdev+0x37b/0x530\n[   70.695320][ T9333]  hfsplus_mount+0x4d/0x60\n[   70.695729][ T9333]  legacy_get_tree+0x113/0x2c0\n[   70.696167][ T9333]  vfs_get_tree+0xb3/0x5c0\n[   70.696588][ T9333]  do_new_mount+0x73e/0x1630\n[   70.697013][ T9333]  path_mount+0x6e3/0x1eb0\n[   70.697425][ T9333]  __se_sys_mount+0x733/0x830\n[   70.697857][ T9333]  __x64_sys_mount+0xe4/0x150\n[   70.698269][ T9333]  x64_sys_call+0x2691/0x3cf0\n[   70.698704][ T9333]  do_syscall_64+0xd9/0x1d0\n[   70.699117][ T9333]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[   70.699730][ T9333]\n[   70.699946][ T9333] Uninit was created at:\n[   70.700378][ T9333]  __alloc_pages_noprof+0x714/0xe60\n[   70.700843][ T9333]  alloc_pages_mpol_noprof+0x2a2/0x9b0\n[   70.701331][ T9333]  alloc_pages_noprof+0xf8/0x1f0\n[   70.701774][ T9333]  allocate_slab+0x30e/0x1390\n[   70.702194][ T9333]  ___slab_alloc+0x1049/0x33a0\n[   70.702635][ T9333]  kmem_cache_alloc_lru_noprof+0x5ce/0xb20\n[   70.703153][ T9333]  hfsplus_alloc_inode+0x5a/0xd0\n[   70.703598][ T9333]  alloc_inode+0x82/0x490\n[   70.703984][ T9333]  iget_locked+0x22e/0x1320\n[   70.704428][ T9333]  hfsplus_iget+0x5c/0xba0\n[   70.704827][ T9333]  hfsplus_btree_open+0x135/0x1dd0\n[   70.705291][ T9333]  hfsplus_fill_super+0x1132/0x2700\n[   70.705776][ T9333]  mount_bdev+0x37b/0x530\n[   70.706171][ T9333]  hfsplus_mount+0x4d/0x60\n[   70.706579][ T9333]  legacy_get_tree+0x113/0x2c0\n[   70.707019][ T9333]  vfs_get_tree+0xb3/0x5c0\n[   70.707444][ T9333]  do_new_mount+0x73e/0x1630\n[   70.707865][ T9333]  path_mount+0x6e3/0x1eb0\n[   70.708270][ T9333]  __se_sys_mount+0x733/0x830\n[   70.708711][ T9333]  __x64_sys_mount+0xe4/0x150\n[   70.709158][ T9333]  x64_sys_call+0x2691/0x3cf0\n[   70.709630][ T9333]  do_syscall_64+0xd9/0x1d0\n[   70.710053][ T9333]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[   70.710611][ T9333]\n[   70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17\n[   70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   70.712490][ T9333] =====================================================\n[   70.713085][ T9333] Disabling lock debugging due to kernel taint\n[   70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...\n[   70.714159][ T9333] \n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/hfsplus/super.c"],"versions":[{"version":"d7d673a591701f131e53d4fd4e2b9352f1316642","lessThan":"a2bee43b451615531ae6f3cf45054f02915ef885","status":"affected","versionType":"git"},{"version":"d7d673a591701f131e53d4fd4e2b9352f1316642","lessThan":"b07630afe1671096dc64064190cae3b6165cf6e4","status":"affected","versionType":"git"},{"version":"d7d673a591701f131e53d4fd4e2b9352f1316642","lessThan":"9df3c241fbf69edce968b20eeeeb3f6da34af041","status":"affected","versionType":"git"},{"version":"d7d673a591701f131e53d4fd4e2b9352f1316642","lessThan":"1b9e5ade272f8be6421c9eea4c4f6810180017f9","status":"affected","versionType":"git"},{"version":"d7d673a591701f131e53d4fd4e2b9352f1316642","lessThan":"2bb8bc99b1a7a46d83f95c46f530305f6df84eaf","status":"affected","versionType":"git"},{"version":"d7d673a591701f131e53d4fd4e2b9352f1316642","lessThan":"295527bfdefd5bf31ec8218e2891a65777141d05","status":"affected","versionType":"git"},{"version":"d7d673a591701f131e53d4fd4e2b9352f1316642","lessThan":"4891bf2b09c313622a6e07d7f108aa5e123c768d","status":"affected","versionType":"git"},{"version":"d7d673a591701f131e53d4fd4e2b9352f1316642","lessThan":"9b3d15a758910bb98ba8feb4109d99cc67450ee4","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/hfsplus/super.c"],"versions":[{"version":"3.14","status":"affected"},{"version":"0","lessThan":"3.14","status":"unaffected","versionType":"semver"},{"version":"5.4.301","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.246","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.196","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.158","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.115","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.56","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.6","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"5.4.301"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"5.10.246"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"5.15.196"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"6.1.158"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"6.6.115"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"6.12.56"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"6.17.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a2bee43b451615531ae6f3cf45054f02915ef885"},{"url":"https://git.kernel.org/stable/c/b07630afe1671096dc64064190cae3b6165cf6e4"},{"url":"https://git.kernel.org/stable/c/9df3c241fbf69edce968b20eeeeb3f6da34af041"},{"url":"https://git.kernel.org/stable/c/1b9e5ade272f8be6421c9eea4c4f6810180017f9"},{"url":"https://git.kernel.org/stable/c/2bb8bc99b1a7a46d83f95c46f530305f6df84eaf"},{"url":"https://git.kernel.org/stable/c/295527bfdefd5bf31ec8218e2891a65777141d05"},{"url":"https://git.kernel.org/stable/c/4891bf2b09c313622a6e07d7f108aa5e123c768d"},{"url":"https://git.kernel.org/stable/c/9b3d15a758910bb98ba8feb4109d99cc67450ee4"}],"title":"hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()","x_generator":{"engine":"bippy-1.2.0"}}}}