CVE-2025-37816 Affecting ocfs2-kmp-default package, versions <6.4.0-150700.53.6.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-SLES157-OCFS2KMPDEFAULT-10747318
- published15 Jul 2025
- disclosed14 Jul 2025
Introduced: 14 Jul 2025
NewCVE-2025-37816 (opens in a new tab)How to fix?
Upgrade SLES:15.7 ocfs2-kmp-default to version 6.4.0-150700.53.6.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ocfs2-kmp-default package and not the ocfs2-kmp-default package as distributed by SLES.
See How to fix? for SLES:15.7 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
mei: vsc: Fix fortify-panic caused by invalid counted_by() use
gcc 15 honors the __counted_by(len) attribute on vsc_tp_packet.buf[] and the vsc-tp.c code is using this in a wrong way. len does not contain the available size in the buffer, it contains the actual packet length without the crc. So as soon as vsc_tp_xfer() tries to add the crc to buf[] the fortify-panic handler gets triggered:
[ 80.842193] memcpy: detected buffer overflow: 4 byte write of buffer size 0 [ 80.842243] WARNING: CPU: 4 PID: 272 at lib/string_helpers.c:1032 __fortify_report+0x45/0x50 ... [ 80.843175] __fortify_panic+0x9/0xb [ 80.843186] vsc_tp_xfer.cold+0x67/0x67 [mei_vsc_hw] [ 80.843210] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 80.843229] ? lockdep_hardirqs_on+0x7c/0x110 [ 80.843250] mei_vsc_hw_start+0x98/0x120 [mei_vsc] [ 80.843270] mei_reset+0x11d/0x420 [mei]
The easiest fix would be to just drop the counted-by but with the exception of the ack buffer in vsc_tp_xfer_helper() which only contains enough room for the packet-header, all other uses of vsc_tp_packet always use a buffer of VSC_TP_MAX_XFER_SIZE bytes for the packet.
Instead of just dropping the counted-by, split the vsc_tp_packet struct definition into a header and a full-packet definition and use a fixed size buf[] in the packet definition, this way fortify-source buffer overrun checking still works when enabled.
References
- https://www.suse.com/security/cve/CVE-2025-37816.html
- https://bugzilla.suse.com/1242863
- https://git.kernel.org/stable/c/00f1cc14da0f06d2897b8c528df7c7dcf1b8da50
- https://git.kernel.org/stable/c/3e243378f27cc7d11682a3ad720228b0723affa5
- https://git.kernel.org/stable/c/ac04663c67f244810b3492e9ecd9f7cdbefeca2d