Buffer Overflow in OrangeFS Affecting Linux Kernel

CVE-2025-40306

What is CVE-2025-40306?

A vulnerability in the OrangeFS component of the Linux kernel was identified, where the xattr_key() function mishandles pointer conditions within loops. This oversight can lead to indefinite memory access, resulting in CPU consumption or thread hangs. The vulnerability was reproducible using the setfattr and getfattr commands, leading to a kernel error and corrupted OrangeFS files. Fixing the pointer dereference issue allowed for correct operation, yet exposed a memory leak related to xattr handling. The flaw induced continuous memory allocations without freeing, exacerbating resource depletion during file operations. A code modification to utilize hlist_add_head instead of hash_add effectively resolved the memory leak, thus stabilizing the system's performance.

References