HIGH
hfs CNID UAF
CVE-2025-68761
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: hfs: fix potential use after free in hfs_correct_next_unused_CNID() This code calls hfs_bnode_put(node) which drops the refcount and then dreferences "node" on the next line. It's only safe to use "node" when we're holding a reference so flip these two lines around.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the HFS filesystem's CNID correction logic allows local attackers with write access to a mounted HFS volume to potentially execute arbitrary code or crash the kernel. The bug occurs when the code accesses a bnode structure after dropping its reference count, leading to access of freed memory during catalog record deletion.
Vulnerability analysis
The vulnerability exists in hfs_correct_next_unused_CNID() where hfs_bnode_put(node) decrements the reference count and potentially frees the node structure, but the code immediately accesses node->prev afterward. This creates a classic use-after-free condition. The fix reorders the operations to read node->prev before calling hfs_bnode_put(). The attack surface is local filesystem operations on mounted HFS volumes; the vulnerable code path is reached during standard file deletion operations (unlink/rmdir), which any user with write access to the filesystem can trigger.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.2 | 40a1e0142096 |
| mainline | 6.19 | c105e76bb17c |