Skip to main content

Linux Kernel CVE-2025-71306

| EUVDEUVD-2025-209970 HIGH
Out-of-bounds Read (CWE-125)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cw2f-qvgg-223g
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
5.3 MEDIUM

Local execution path (AV:L, PR:L); AC:H because the IMA-appraisal config gate is non-default; a 1-byte OOB read gives only C:L but can crash the task (A:H), with I:N.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.6 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 23:17 vuln.today
CVSS changed
Jun 25, 2026 - 21:07 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
HIGH 7.1
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()

KASAN reported a stack-out-of-bounds access in ima_appraise_measurement from is_bprm_creds_for_exec:

BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0 Read of size 1 at addr ffffc9000160f940 by task sudo/550 The buggy address belongs to stack of task sudo/550 and is located at offset 24 in frame: ima_appraise_measurement+0x0/0x16a0 This frame has 2 objects: [48, 56) 'file' [80, 148) 'hash'

This is caused by using container_of on the *file pointer. This offset calculation is what triggers the stack-out-of-bounds error.

In order to fix this, pass in a bprm_is_check boolean which can be set depending on how process_measurement is called. If the caller has a linux_binprm pointer and the function is BPRM_CHECK we can determine is_check and set it then. Otherwise set it to false.

AnalysisAI

Out-of-bounds stack read in the Linux kernel's IMA (Integrity Measurement Architecture) subsystem, in ima_appraise_measurement() reached via is_bprm_creds_for_exec(), affecting kernels from the 6.14 series up to the fixed stable commits. A misuse of container_of() on a *file pointer computes an invalid stack offset, letting a local execution path read one byte past a stack frame object (flagged by KASAN), which can disclose adjacent stack data or crash the task. EPSS is very low (0.02%, 5th percentile), the CVE is not on CISA KEV, and there is no public exploit identified at time of analysis; the issue is patched upstream.

Technical ContextAI

The flaw lives in the kernel integrity-measurement code that runs during program execution via the BPRM_CHECK security hook. When a process is executed, the IMA/LSM stack calls process_measurement() and ima_appraise_measurement(); the buggy code used container_of() on a struct file pointer to recover an enclosing structure, but that file pointer is not embedded in the assumed structure, so the back-computed offset points into an unrelated region of the caller's stack frame (the KASAN report shows a 1-byte read at offset 24 of a frame containing 'file' [48,56) and 'hash' [80,148)). This is a textbook CWE-125 (Out-of-bounds Read) driven by an invalid pointer-to-container assumption rather than a missing length check. The upstream fix removes the fragile container_of() inference and instead threads an explicit bprm_is_check boolean through process_measurement(), set true only when the caller holds a linux_binprm pointer and the hook is BPRM_CHECK, and false otherwise. CPE coverage is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*, i.e. the kernel OS component generically.

RemediationAI

Apply the upstream fix by updating to a kernel build that includes stable commits ab3d16da982a4ebb715d487dbf9dd66e3990d935 and 377cae9851e8559e9d8b82a78c1ac0abeb18839c (Patch available per vendor advisory; EUVD references a 6.19.4 patched line, but the exact released tag is not independently confirmed). Track your distribution's kernel security update for CVE-2025-71306 and reboot into the patched kernel. As an interim compensating control where patching must be deferred, note that the vulnerable code only executes when IMA appraisal is enabled, so systems can reduce or eliminate exposure by not enabling IMA appraisal (ima_appraise / IMA policy appraise rules) where it is not operationally required - the trade-off is losing IMA-based runtime integrity enforcement, which is unacceptable on hosts that rely on IMA for boot/exec integrity, where prompt patching is the correct path instead. See https://git.kernel.org/stable/c/377cae9851e8559e9d8b82a78c1ac0abeb18839c for the authoritative change.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2025-71306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy