CVE-2025-37858

In the Linux kernel, the following vulnerability has been resolved:

fs/jfs: Prevent integer overflow in AG size calculation

The JFS filesystem calculates allocation group (AG) size using 1 << l2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB aggregates on 32-bit systems), this 32-bit shift operation causes undefined behavior and improper AG sizing.

On 32-bit architectures:

Left-shifting 1 by 32+ bits results in 0 due to integer overflow
This creates invalid AG sizes (0 or garbage values) in sbi->bmap->db_agsize
Subsequent block allocations would reference invalid AG structures
Could lead to:
- Filesystem corruption during extend operations
- Kernel crashes due to invalid memory accesses
- Security vulnerabilities via malformed on-disk structures

Fix by casting to s64 before shifting: bmp->db_agsize = (s64)1 << l2agsize;

This ensures 64-bit arithmetic even on 32-bit architectures. The cast matches the data type of db_agsize (s64) and follows similar patterns in JFS block calculation code.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Published: May 9, 2025
Updated: Nov 13, 2025
CVE: CVE-2025-37858
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-190

Affected Software
References

Software	From	Fixed in
linux / linux_kernel	-	5.4.293
linux / linux_kernel	5.5	5.10.237
linux / linux_kernel	5.11	5.15.181
linux / linux_kernel	5.16	6.1.135
linux / linux_kernel	6.2	6.6.88
linux / linux_kernel	6.7	6.12.24
linux / linux_kernel	6.13	6.13.12
linux / linux_kernel	6.14	6.14.3
debian / debian_linux	11.0	11.0.x

Vulnerability Database

309,469

CVE-2025-37858

Deep Security Visibility Without the Complexity