AZL-67398

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-67398.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-67398

Upstream

CVE-2025-39817

Published

2025-09-16T13:15:57Z

Modified

2026-04-01T05:21:12.169726Z

Summary

CVE-2025-39817 affecting package kernel for versions less than 6.6.104.2-1

Details

In the Linux kernel, the following vulnerability has been resolved:

efivarfs: Fix slab-out-of-bounds in efivarfsdcompare

Observed on kernel 6.6 (present on master as well):

BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasancheckrange+0xe8/0x190 __asanloadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfsd_compare+0x68/0xd8 __dlookuprcuopcompare+0x178/0x218 __dlookuprcu+0x1f8/0x228 dallocparallel+0x150/0x648 lookupopen.isra.0+0x5f0/0x8d0 openlastlookups+0x264/0x828 pathopenat+0x130/0x3f8 dofilpopen+0x114/0x248 dosysopenat2+0x340/0x3c0 __arm64sysopenat+0x120/0x1a0

If dentry->dname.len < EFIVARIABLEGUIDLEN , 'guid' can become negative, leadings to oob. The issue can be triggered by parallel lookups using invalid filename:

T1 T2 lookupopen ->lookup simplelookup d_add // invalid dentry is added to hash list

        lookup_open
         d_alloc_parallel
          __d_lookup_rcu
           __d_lookup_rcu_op_compare
            hlist_bl_for_each_entry_rcu
            // invalid dentry can be retrieved
             ->d_compare
              efivarfs_d_compare
              // oob

Fix it by checking 'guid' before cmp.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-39817

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.104.2-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-67398.json"