Bug 2482189 (CVE-2025-71306) - CVE-2025-71306 kernel: ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
Summary: CVE-2025-71306 kernel: ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
Keywords:
Status: NEW
Alias: CVE-2025-71306
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 15:15 UTC by OSIDB Bzimport
Modified: 2026-05-28 20:24 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-27 15:15:32 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()

KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
from is_bprm_creds_for_exec:

BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
 Read of size 1 at addr ffffc9000160f940 by task sudo/550
The buggy address belongs to stack of task sudo/550
and is located at offset 24 in frame:
  ima_appraise_measurement+0x0/0x16a0
This frame has 2 objects:
  [48, 56) 'file'
  [80, 148) 'hash'

This is caused by using container_of on the *file pointer. This offset
calculation is what triggers the stack-out-of-bounds error.

In order to fix this, pass in a bprm_is_check boolean which can be set
depending on how process_measurement is called. If the caller has a
linux_binprm pointer and the function is BPRM_CHECK we can determine
is_check and set it then. Otherwise set it to false.
Comment 1 Keith Grant 2026-05-28 20:22:21 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052706-CVE-2025-71306-f80c@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.