CVE-2025-37879

In the Linux kernel, the following vulnerability has been resolved: 9p/net: fix improper handling of bogus negative read/write replies In p9_client_write() and p9_client_read_once(), if the server incorrectly replies with success but a negative write/read count then we would consider written (negative) <= rsize (positive) because both variables were signed. Make variables unsigned to avoid this problem. The reproducer linked below now fails with the following error instead of a null pointer deref: 9pnet: bogus RWRITE count (4294967295 > 3)

CVSS

No CVSS.

References

Link	Resource
https://git.kernel.org/stable/c/374e4cd75617c8c2552f562f39dd989583f5c330
https://git.kernel.org/stable/c/468ff4a7c61fb811c596a7c44b6a5455e40fd12b
https://git.kernel.org/stable/c/a68768e280b7d0c967ea509e791bb9b90adc94a5
https://git.kernel.org/stable/c/c548f95688e2b5ae0e2ae43d53cf717156c7d034
https://git.kernel.org/stable/c/d0259a856afca31d699b706ed5e2adf11086c73b
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Configurations

No configuration.

History

03 Nov 2025, 20:18

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html -

12 May 2025, 17:32

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-09 07:16

Updated : 2025-11-03 20:18

NVD link : CVE-2025-37879

Mitre link : CVE-2025-37879

CVE.ORG link : CVE-2025-37879

JSON object : View

Products Affected

No product.

CWE

No CWE.

{"id": "CVE-2025-37879", "cveTags": [], "metrics": {}, "published": "2025-05-09T07:16:09.143", "references": [{"url": "https://git.kernel.org/stable/c/374e4cd75617c8c2552f562f39dd989583f5c330", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/468ff4a7c61fb811c596a7c44b6a5455e40fd12b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a68768e280b7d0c967ea509e791bb9b90adc94a5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c548f95688e2b5ae0e2ae43d53cf717156c7d034", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d0259a856afca31d699b706ed5e2adf11086c73b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/net: fix improper handling of bogus negative read/write replies\n\nIn p9_client_write() and p9_client_read_once(), if the server\nincorrectly replies with success but a negative write/read count then we\nwould consider written (negative) <= rsize (positive) because both\nvariables were signed.\n\nMake variables unsigned to avoid this problem.\n\nThe reproducer linked below now fails with the following error instead\nof a null pointer deref:\n9pnet: bogus RWRITE count (4294967295 > 3)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: 9p/net: se corrige el manejo incorrecto de respuestas de lectura/escritura negativas falsas. En p9_client_write() y p9_client_read_once(), si el servidor responde incorrectamente con \u00e9xito, pero con un recuento de escrituras/lecturas negativo, se considerar\u00eda que \"escrito\" (negativo) <= \"rsize\" (positivo) porque ambas variables estaban firmadas. Para evitar este problema, desactive el signo de las variables. El reproductor enlazado a continuaci\u00f3n ahora falla con el siguiente error en lugar de una referencia de puntero nulo: 9pnet: recuento de RWRITE falso (4294967295 > 3)"}], "lastModified": "2025-11-03T20:18:39.683", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}