Vulnerability Database

308,681

Total vulnerabilities in the database

CVE-2025-38710

In the Linux kernel, the following vulnerability has been resolved:

gfs2: Validate i_depth for exhash directories

A fuzzer test introduced corruption that ends up with a depth of 0 in dir_e_read(), causing an undefined shift by 32 at:

index = hash >> (32 - dip->i_depth);

As calculated in an open-coded way in dir_make_exhash(), the minimum depth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is invalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time.

So we can avoid the undefined behaviour by checking for depth values lower than the minimum in gfs2_dinode_in(). Values greater than the maximum are already being checked for there.

Also switch the calculation in dir_make_exhash() to use ilog2() to clarify how the depth is calculated.

Tested with the syzkaller repro.c and xfstests '-g quick'.

Published: Sep 4, 2025
Updated: Nov 16, 2025
CVE: CVE-2025-38710
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

No affected software listed.

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo