CVE-2025-71306
HIGHCVSS v3.1: 7.1 · EPSS: 0.0019 (8.7 percentile)
Source data as of:
At a glance
- Severity
- HIGH
- CVSS
- 7.1 v3.1 · NVD
- EPSS
- 0.0019 (8.7 percentile) · FIRST.org
- CISA KEV
- No
- Type
- Out-of-bounds Read · NVD CWE
- Attack conditions (CVSS vector)
- No user interaction · Source: NVD Vector
- Affected vendors
- linux
- Published
- 2026-05-27 · Modified: 2026-06-25
- References
- Jump to references (2)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
In the Linux kernel, the following vulnerability has been resolved: ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec() KASAN reported a stack-out-of-bounds access in ima_appraise_measurement from is_bprm_creds_for_exec: BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0 Read of size 1 at addr ffffc9000160f940 by task sudo/550 The buggy address belongs to stack of task sudo/550 and is located at offset 24 in frame: ima_appraise_measurement+0x0/0x16a0 This frame has 2 objects: [48, 56) 'file' [80, 148) 'hash' This is caused by using container_of on the *file pointer. This offset calculation is what triggers the stack-out-of-bounds error. In order to fix this, pass in a bprm_is_check boolean which can be set depending on how process_measurement is called. If the caller has a linux_binprm pointer and the function is BPRM_CHECK we can determine is_check and set it then. Otherwise set it to false.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.