CVE-2025-39840

Advisory lineage Upstream: 0 Downstream: 4
Modified
Published: 19 Sept 2025, 15:26
Last modified:11 May 2026, 21:37

Vulnerability Summary

Overall Risk (default)
medium
28/100
CVSS Score
7.1 HIGH
v3.1 (cve.org)
EPSS Score
0.02% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

19 Sept 2025, 15:26
Published
Vulnerability first disclosed
11 May 2026, 21:37
Last Modified
Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: audit: fix out-of-bounds read in audit_compare_dname_path() When a watch on dir=/ is combined with an fsnotify event for a single-character name directly under / (e.g., creating /a), an out-of-bounds read can occur in audit_compare_dname_path(). The helper parent_len() returns 1 for "/". In audit_compare_dname_path(), when parentlen equals the full path length (1), the code sets p = path + 1 and pathlen = 1 - 1 = 0. The subsequent loop then dereferences p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read. Fix this by adding a pathlen > 0 check to the while loop condition to prevent the out-of-bounds access. [PM: subject tweak, sign-off email fixes]

CVSS Metrics

  • v3.1HIGHScore: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Trends

Current EPSS score: 0.02% Percentile: 6%

Techniques & Countermeasures

  • CWE-125Out-of-bounds Read

    The product reads data past the end, or before the beginning, of the intended buffer.

Affected Systems

  • linuxlinux

    ≥ e92eebb0d6116f942ab25dfb1a41905aa59472a8, < 9735a9dcc307427e7d6336c54171682f1bac9789 | ≥ e92eebb0d6116f942ab25dfb1a41905aa59472a8, < 4540f1d23e7f387880ce46d11b5cd3f27248bf8d | 6.14

  • linuxlinux_kernel

    ≥ 6.14, < 6.16.6 | 6.17:rc1 | 6.17:rc2 | 6.17:rc3 | 6.17:rc4

References (2)