CVE-2025-39840

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> audit: fix out-of-bounds read in audit_compare_dname_path()<br /> <br /> When a watch on dir=/ is combined with an fsnotify event for a<br /> single-character name directly under / (e.g., creating /a), an<br /> out-of-bounds read can occur in audit_compare_dname_path().<br /> <br /> The helper parent_len() returns 1 for "/". In audit_compare_dname_path(),<br /> when parentlen equals the full path length (1), the code sets p = path + 1<br /> and pathlen = 1 - 1 = 0. The subsequent loop then dereferences<br /> p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.<br /> <br /> Fix this by adding a pathlen &gt; 0 check to the while loop condition<br /> to prevent the out-of-bounds access.<br /> <br /> [PM: subject tweak, sign-off email fixes]