7.1

CVE-2025-39817

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

In the Linux kernel, the following vulnerability has been resolved:

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

Observed on kernel 6.6 (present on master as well):

  BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0
  Call trace:
   kasan_check_range+0xe8/0x190
   __asan_loadN+0x1c/0x28
   memcmp+0x98/0xd0
   efivarfs_d_compare+0x68/0xd8
   __d_lookup_rcu_op_compare+0x178/0x218
   __d_lookup_rcu+0x1f8/0x228
   d_alloc_parallel+0x150/0x648
   lookup_open.isra.0+0x5f0/0x8d0
   open_last_lookups+0x264/0x828
   path_openat+0x130/0x3f8
   do_filp_open+0x114/0x248
   do_sys_openat2+0x340/0x3c0
   __arm64_sys_openat+0x120/0x1a0

If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become
negative, leadings to oob. The issue can be triggered by parallel
lookups using invalid filename:

  T1			T2
  lookup_open
   ->lookup
    simple_lookup
     d_add
     // invalid dentry is added to hash list

			lookup_open
			 d_alloc_parallel
			  __d_lookup_rcu
			   __d_lookup_rcu_op_compare
			    hlist_bl_for_each_entry_rcu
			    // invalid dentry can be retrieved
			     ->d_compare
			      efivarfs_d_compare
			      // oob

Fix it by checking 'guid' before cmp.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 3.8.2 < 5.4.298
LinuxLinux Kernel Version >= 5.5 < 5.10.242
LinuxLinux Kernel Version >= 5.11 < 5.15.191
LinuxLinux Kernel Version >= 5.16 < 6.1.150
LinuxLinux Kernel Version >= 6.2 < 6.6.104
LinuxLinux Kernel Version >= 6.7 < 6.12.45
LinuxLinux Kernel Version >= 6.13 < 6.16.5
LinuxLinux Kernel Version6.17 Updaterc1
LinuxLinux Kernel Version6.17 Updaterc2
LinuxLinux Kernel Version6.17 Updaterc3
DebianDebian Linux Version11.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.15% 0.047
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.1 1.8 5.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6
Patch
https://git.kernel.org/stable/c/794399019301944fd6d2e0d7a51b3327e26c410e
Patch
https://git.kernel.org/stable/c/568e7761279b99c6daa3002290fd6d8047ddb6d2
Patch
https://git.kernel.org/stable/c/d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7
Patch
https://git.kernel.org/stable/c/925599eba46045930b850a98ae594d2e3028ac40
Patch
https://git.kernel.org/stable/c/c2925cd6207079c3f4d040d082515db78d63afbf
Patch
https://git.kernel.org/stable/c/71581a82f38e5a4d807d71fc1bb59aead80ccf95
Patch
https://git.kernel.org/stable/c/a6358f8cf64850f3f27857b8ed8c1b08cfc4685c
Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-032379.html