CVE-2025-39840
- Source
- https://cve.org/CVERecord?id=CVE-2025-39840
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39840.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39840
- Downstream
- Related
- Published
- 2025-09-19T15:26:15.596Z
- Modified
- 2026-03-20T12:43:04.419876Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- audit: fix out-of-bounds read in audit_compare_dname_path()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
audit: fix out-of-bounds read in auditcomparedname_path()
When a watch on dir=/ is combined with an fsnotify event for a single-character name directly under / (e.g., creating /a), an out-of-bounds read can occur in auditcomparedname_path().
The helper parentlen() returns 1 for "/". In auditcomparednamepath(), when parentlen equals the full path length (1), the code sets p = path + 1 and pathlen = 1 - 1 = 0. The subsequent loop then dereferences p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.
Fix this by adding a pathlen > 0 check to the while loop condition to prevent the out-of-bounds access.
[PM: subject tweak, sign-off email fixes]
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39840.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/4540f1d23e7f387880ce46d11b5cd3f27248bf8d
- https://git.kernel.org/stable/c/9735a9dcc307427e7d6336c54171682f1bac9789
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39840.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-39840
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git