{"id":"AZL-61475","summary":"CVE-2025-37785 affecting package kernel for versions less than 6.6.92.2-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix OOB read when checking dotdot dir\n\nMounting a corrupted filesystem with directory which contains '.' dir\nentry with rec_len == block size results in out-of-bounds read (later\non, when the corrupted directory is removed).\n\next4_empty_dir() assumes every ext4 directory contains at least '.'\nand '..' as directory entries in the first data block. It first loads\nthe '.' dir entry, performs sanity checks by calling ext4_check_dir_entry()\nand then uses its rec_len member to compute the location of '..' dir\nentry (in ext4_next_entry). It assumes the '..' dir entry fits into the\nsame data block.\n\nIf the rec_len of '.' is precisely one block (4KB), it slips through the\nsanity checks (it is considered the last directory entry in the data\nblock) and leaves \"struct ext4_dir_entry_2 *de\" point exactly past the\nmemory slot allocated to the data block. The following call to\next4_check_dir_entry() on new value of de then dereferences this pointer\nwhich results in out-of-bounds mem access.\n\nFix this by extending __ext4_check_dir_entry() to check for '.' dir\nentries that reach the end of data block. Make sure to ignore the phony\ndir entries for checksum (by checking name_len for non-zero).\n\nNote: This is reported by KASAN as use-after-free in case another\nstructure was recently freed from the slot past the bound, but it is\nreally an OOB read.\n\nThis issue was found by syzkaller tool.\n\nCall Trace:\n[   38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710\n[   38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375\n[   38.595158]\n[   38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1\n[   38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[   38.595304] Call Trace:\n[   38.595308]  \u003cTASK\u003e\n[   38.595311]  dump_stack_lvl+0xa7/0xd0\n[   38.595325]  print_address_description.constprop.0+0x2c/0x3f0\n[   38.595339]  ? __ext4_check_dir_entry+0x67e/0x710\n[   38.595349]  print_report+0xaa/0x250\n[   38.595359]  ? __ext4_check_dir_entry+0x67e/0x710\n[   38.595368]  ? kasan_addr_to_slab+0x9/0x90\n[   38.595378]  kasan_report+0xab/0xe0\n[   38.595389]  ? __ext4_check_dir_entry+0x67e/0x710\n[   38.595400]  __ext4_check_dir_entry+0x67e/0x710\n[   38.595410]  ext4_empty_dir+0x465/0x990\n[   38.595421]  ? __pfx_ext4_empty_dir+0x10/0x10\n[   38.595432]  ext4_rmdir.part.0+0x29a/0xd10\n[   38.595441]  ? __dquot_initialize+0x2a7/0xbf0\n[   38.595455]  ? __pfx_ext4_rmdir.part.0+0x10/0x10\n[   38.595464]  ? __pfx___dquot_initialize+0x10/0x10\n[   38.595478]  ? down_write+0xdb/0x140\n[   38.595487]  ? __pfx_down_write+0x10/0x10\n[   38.595497]  ext4_rmdir+0xee/0x140\n[   38.595506]  vfs_rmdir+0x209/0x670\n[   38.595517]  ? lookup_one_qstr_excl+0x3b/0x190\n[   38.595529]  do_rmdir+0x363/0x3c0\n[   38.595537]  ? __pfx_do_rmdir+0x10/0x10\n[   38.595544]  ? strncpy_from_user+0x1ff/0x2e0\n[   38.595561]  __x64_sys_unlinkat+0xf0/0x130\n[   38.595570]  do_syscall_64+0x5b/0x180\n[   38.595583]  entry_SYSCALL_64_after_hwframe+0x76/0x7e","modified":"2026-04-01T05:19:41.980335Z","published":"2025-04-18T07:15:42Z","upstream":["CVE-2025-37785"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37785"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.92.2-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-61475.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"}]}