CVE-2025-39687

HIGH
2025-09-05 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Sep 05, 2025 - 18:15 nvd
HIGH 7.1

Tags

Linux Information Disclosure Linux Kernel Debian Linux Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: iio: light: as73211: Ensure buffer holes are zeroed Given that the buffer is copied to a kfifo that ultimately user space can read, ensure we zero it.

Analysis

A local information disclosure vulnerability exists in the Linux kernel's AS73211 IIO light sensor driver where uninitialized buffer memory (padding holes) is not zeroed before being copied to a kfifo accessible to userspace. This allows a local authenticated attacker to read sensitive kernel memory contents. With a very low EPSS score of 0.01% (3rd percentile) and no known active exploitation, this represents a theoretical rather than actively exploited risk.

Technical Context

The vulnerability affects the Industrial I/O (IIO) subsystem in the Linux kernel, specifically the AMS AS73211 light sensor driver (drivers/iio/light/as73211.c). When sensor data is captured into a buffer structure, compiler-inserted padding bytes between structure members may contain residual kernel memory that is not explicitly zeroed. This buffer is subsequently copied to a kfifo (kernel first-in-first-out queue) that userspace applications can read via the IIO interface. The affected products span multiple Linux kernel versions as indicated by CPE data, including kernels up through release candidates 6.17-rc1 and 6.17-rc2, as well as Debian Linux 11.0. This represents a classic information disclosure vulnerability class where structure padding leaks kernel memory to unprivileged contexts.

Affected Products

The vulnerability affects the Linux kernel across multiple version ranges, with specific impacts on kernels that include the AS73211 IIO light sensor driver. Based on CPE data, affected versions include various Linux kernel releases up through and including release candidates 6.17-rc1 and 6.17-rc2. Debian Linux 11.0 is also confirmed affected via CPE cpe:2.3:o:debian:debian_linux:11.0. Debian has published LTS security advisories addressing this issue at https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html and https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html. The vulnerability specifically impacts systems utilizing the AMS AS73211 light sensor hardware with the corresponding kernel driver enabled.

Remediation

Apply the available kernel patches from the upstream stable kernel tree. Patches are available at multiple commit references: https://git.kernel.org/stable/c/433b99e922943efdfd62b9a8e3ad1604838181f2, https://git.kernel.org/stable/c/83f14c4ca1ad78fcfb3e0de07d6d8a0c59550fc2, https://git.kernel.org/stable/c/8acd9a0eaa8c9a28e385c0a6a56bb821cb549771, https://git.kernel.org/stable/c/99b508340d0d1b9de0856c48c77898b14c0df7cf, https://git.kernel.org/stable/c/cce55ca4e7a221d5eb2c0b757a868eacd6344e4a, https://git.kernel.org/stable/c/d8c5d87a431596e0e02bd7fe3bff952b002a03bb, and https://git.kernel.org/stable/c/fd441fd972067f80861a0b66605c0febb0d038dd. For Debian systems, follow the distribution-specific security advisories at the Debian LTS announcement pages. As a temporary mitigation until patching, restrict local access to trusted users only and consider disabling or removing the AS73211 driver module if the hardware is not essential to system operation.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Vendor Status

Share

CVE-2025-39687 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy