PT-2025-46762 · Btrfs+4 · Btrfs+4

Published

2025-09-08

·

Updated

2026-05-07

·

CVE-2025-40205

CVSS v2.0

4.6

Medium

VectorAV:L/AC:L/Au:S/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description The btrfs encode fh() function does not properly account for all cases it handles, potentially leading to an out-of-bounds write. Specifically, when a parent exists and the root ID of the parent and the inode are different, the function may attempt to write BTRFS FID SIZE CONNECTABLE ROOT (40 bytes) to a buffer sized for BTRFS FID SIZE CONNECTABLE (32 bytes), resulting in an 8-byte out-of-bounds write to fid->parent root objectid = parent root id. The issue arises because the function does not always return the correct size to the user, and it fails to validate that max len is large enough before writing data.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Memory Corruption

Weakness Enumeration

CWE-131CWE-787

Related Identifiers

AZL-70097
BDU:2025-14654
CVE-2025-40205
DLA-4379-1
DLA-4404-1
OESA-2026-1950
OPENSUSE-SU-2025:20172-1
SUSE-SU-2025:4393-1
SUSE-SU-2025:4422-1
SUSE-SU-2025:4505-1
SUSE-SU-2025:4515-1
SUSE-SU-2025:4516-1
SUSE-SU-2025:4517-1
SUSE-SU-2025:4521-1
SUSE-SU-2026:20012-1
SUSE-SU-2026:20015-1
SUSE-SU-2026:20021-1
SUSE-SU-2026:20039-1
SUSE-SU-2026:20059-1
SUSE-SU-2026:20473-1
SUSE-SU-2026:20496-1
USN-8029-1
USN-8029-2
USN-8029-3
USN-8030-1
USN-8033-1
USN-8033-2
USN-8033-3
USN-8033-4
USN-8033-5
USN-8033-6
USN-8033-7
USN-8033-8
USN-8034-1
USN-8034-2
USN-8048-1
USN-8095-1
USN-8095-2
USN-8095-3
USN-8095-4
USN-8095-5
USN-8100-1
USN-8125-1
USN-8126-1
USN-8141-1
USN-8163-1
USN-8163-2
USN-8165-1
USN-8243-1
USN-8261-1

Affected Products

Debian
Linuxmint
Linux Kernel
Ubuntu
Btrfs