VYPR
← All advisories
High severity7.1NVD Advisory· Published Sep 16, 2025· Updated May 12, 2026

CVE-2025-39817

CVE-2025-39817

Description

In the Linux kernel, the following vulnerability has been resolved:

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

Observed on kernel 6.6 (present on master as well):

BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu_op_compare+0x178/0x218 __d_lookup_rcu+0x1f8/0x228 d_alloc_parallel+0x150/0x648 lookup_open.isra.0+0x5f0/0x8d0 open_last_lookups+0x264/0x828 path_openat+0x130/0x3f8 do_filp_open+0x114/0x248 do_sys_openat2+0x340/0x3c0 __arm64_sys_openat+0x120/0x1a0

If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become negative, leadings to oob. The issue can be triggered by parallel lookups using invalid filename:

T1 T2 lookup_open ->lookup simple_lookup d_add // invalid dentry is added to hash list

lookup_open d_alloc_parallel __d_lookup_rcu __d_lookup_rcu_op_compare hlist_bl_for_each_entry_rcu // invalid dentry can be retrieved ->d_compare efivarfs_d_compare // oob

Fix it by checking 'guid' before cmp.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A slab-out-of-bounds read in the Linux kernel's efivarfs filesystem can be triggered by parallel lookups with crafted filenames, leading to potential information disclosure.

Vulnerability

Details

CVE-2025-39817 is a slab-out-of-bounds read vulnerability in the efivarfs_d_compare function of the Linux kernel's efivarfs filesystem. The root cause is an incorrect calculation of the guid offset when the dentry name length is less than EFI_VARIABLE_GUID_LEN, resulting in a negative offset that leads to an out-of-bounds memory access via memcmp [1]. This was discovered through Kernel Address Sanitizer (KASAN) reports on kernel 6.6 and later confirmed on the mainline kernel.

Exploitation

The vulnerability can be exploited by an attacker with local access to the system. The attack involves performing parallel lookup operations on the efivarfs filesystem (typically mounted at /sys/firmware/efi/efivars) using specially crafted filenames that are shorter than the expected GUID length. A race condition between two concurrent lookup operations can cause an invalid dentry to be added to the directory hash list. When a subsequent lookup retrieves this dentry and calls efivarfs_d_compare, the out-of-bounds read occurs [1]. No special privileges beyond local access are required, making this a low-complexity attack.

Impact

Successful exploitation allows an attacker to read kernel memory beyond the intended bounds, potentially leaking sensitive information. The out-of-bounds read can also cause a kernel panic, leading to a denial of service. The CVSS v3 score of 7.1 (High) reflects the potential for confidentiality impact and system availability disruption.

Mitigation

The fix has been applied to the Linux kernel stable branches. The commits identified by [2], [3], and [4] address the issue by adding a check on the guid value before performing the comparison. Users should update their kernels to the latest stable version that includes these patches. The Siemens advisory [1] lists this CVE among affected products, indicating that embedded systems using the kernel may also require patching.

References
  1. SSA-032379
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

11

News mentions

1