Home

Description

In the Linux kernel, the following vulnerability has been resolved: audit: fix out-of-bounds read in audit_compare_dname_path() When a watch on dir=/ is combined with an fsnotify event for a single-character name directly under / (e.g., creating /a), an out-of-bounds read can occur in audit_compare_dname_path(). The helper parent_len() returns 1 for "/". In audit_compare_dname_path(), when parentlen equals the full path length (1), the code sets p = path + 1 and pathlen = 1 - 1 = 0. The subsequent loop then dereferences p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read. Fix this by adding a pathlen > 0 check to the while loop condition to prevent the out-of-bounds access. [PM: subject tweak, sign-off email fixes]

PUBLISHED Reserved 2025-04-16 | Published 2025-09-19 | Updated 2025-09-29 | Assigner Linux

Product status

Default status
unaffected

e92eebb0d6116f942ab25dfb1a41905aa59472a8 (git) before 9735a9dcc307427e7d6336c54171682f1bac9789
affected

e92eebb0d6116f942ab25dfb1a41905aa59472a8 (git) before 4540f1d23e7f387880ce46d11b5cd3f27248bf8d
affected

Default status
affected

6.14
affected

Any version before 6.14
unaffected

6.16.6 (semver)
unaffected

6.17 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/9735a9dcc307427e7d6336c54171682f1bac9789

git.kernel.org/...c/4540f1d23e7f387880ce46d11b5cd3f27248bf8d

cve.org (CVE-2025-39840)

nvd.nist.gov (CVE-2025-39840)

Download JSON