CVE-2025-39683
Severity CVSS v4.0:
Pending analysis
Type:
CWE-125
Out-of-bounds Read
Publication date:
05/09/2025
Last modified:
08/01/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
tracing: Limit access to parser->buffer when trace_get_user failed<br />
<br />
When the length of the string written to set_ftrace_filter exceeds<br />
FTRACE_BUFF_MAX, the following KASAN alarm will be triggered:<br />
<br />
BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0<br />
Read of size 1 at addr ffff0000d00bd5ba by task ash/165<br />
<br />
CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty<br />
Hardware name: linux,dummy-virt (DT)<br />
Call trace:<br />
show_stack+0x34/0x50 (C)<br />
dump_stack_lvl+0xa0/0x158<br />
print_address_description.constprop.0+0x88/0x398<br />
print_report+0xb0/0x280<br />
kasan_report+0xa4/0xf0<br />
__asan_report_load1_noabort+0x20/0x30<br />
strsep+0x18c/0x1b0<br />
ftrace_process_regex.isra.0+0x100/0x2d8<br />
ftrace_regex_release+0x484/0x618<br />
__fput+0x364/0xa58<br />
____fput+0x28/0x40<br />
task_work_run+0x154/0x278<br />
do_notify_resume+0x1f0/0x220<br />
el0_svc+0xec/0xf0<br />
el0t_64_sync_handler+0xa0/0xe8<br />
el0t_64_sync+0x1ac/0x1b0<br />
<br />
The reason is that trace_get_user will fail when processing a string<br />
longer than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0.<br />
Then an OOB access will be triggered in ftrace_regex_release-><br />
ftrace_process_regex->strsep->strpbrk. We can solve this problem by<br />
limiting access to parser->buffer when trace_get_user failed.
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.4.269 (including) | 4.5 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.9.269 (including) | 4.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.14.233 (including) | 4.15 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.19.191 (including) | 4.20 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.118 (including) | 5.5 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.36 (including) | 5.10.241 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11.20 (including) | 5.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.12.3 (including) | 5.15.190 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.149 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.103 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.44 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.16.4 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/3079517a5ba80901fe828a06998da64b9b8749be
- https://git.kernel.org/stable/c/418b448e1d7470da9d4d4797f71782595ee69c49
- https://git.kernel.org/stable/c/41b838420457802f21918df66764b6fbf829d330
- https://git.kernel.org/stable/c/58ff8064cb4c7eddac4da1a59da039ead586950a
- https://git.kernel.org/stable/c/6a909ea83f226803ea0e718f6e88613df9234d58
- https://git.kernel.org/stable/c/b842ef39c2ad6156c13afdec25ecc6792a9b67b9
- https://git.kernel.org/stable/c/d0c68045b8b0f3737ed7bd6b8c83b7887014adee
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html