CVE-2025-38639
BaseFortify
Publication date: 2025-08-22
Last updated on: 2025-11-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 5.10.244 |
| linux | linux_kernel | 6.1.153 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Linux kernel's netfilter component (xt_nfacct) involves an assumption that an account name is null-terminated, which is incorrect. This leads to a slab-out-of-bounds read error detected by KASAN, causing a read of memory beyond the intended buffer in the function lib/vsprintf.c. The issue arises because the error handling code relies on the presence of a null-terminated string, but the function nfnl_acct_find_get() can handle non-null input, leading to unsafe memory access.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds memory reads in the Linux kernel, which may cause system instability, crashes, or potentially allow an attacker to leak sensitive information from kernel memory. It could be exploited to compromise system security or cause denial of service.