2396936 – (CVE-2025-39840) CVE-2025-39840 kernel: audit: fix out-of-bounds read in audit_compare_dname_path()

Bug 2396936 (CVE-2025-39840) - CVE-2025-39840 kernel: audit: fix out-of-bounds read in audit_compare_dname_path()

Summary: CVE-2025-39840 kernel: audit: fix out-of-bounds read in audit_compare_dname_p...

Keywords:
Status:	NEW
Alias:	CVE-2025-39840
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-19 16:02 UTC by OSIDB Bzimport
Modified:	2025-09-26 15:14 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-19 16:02:45 UTC

In the Linux kernel, the following vulnerability has been resolved:

audit: fix out-of-bounds read in audit_compare_dname_path()

When a watch on dir=/ is combined with an fsnotify event for a
single-character name directly under / (e.g., creating /a), an
out-of-bounds read can occur in audit_compare_dname_path().

The helper parent_len() returns 1 for "/". In audit_compare_dname_path(),
when parentlen equals the full path length (1), the code sets p = path + 1
and pathlen = 1 - 1 = 0. The subsequent loop then dereferences
p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.

Fix this by adding a pathlen > 0 check to the while loop condition
to prevent the out-of-bounds access.

[PM: subject tweak, sign-off email fixes]

Comment 1 Jon Moroney 2025-09-19 16:44:29 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091902-CVE-2025-39840-bad6@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.