CVE-2025-39917
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2025-12-12

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt Stanislav reported that in bpf_crypto_crypt() the destination dynptr's size is not validated to be at least as large as the source dynptr's size before calling into the crypto backend with 'len = src_len'. This can result in an OOB write when the destination is smaller than the source. Concretely, in mentioned function, psrc and pdst are both linear buffers fetched from each dynptr: psrc = __bpf_dynptr_data(src, src_len); [...] pdst = __bpf_dynptr_data_rw(dst, dst_len); [...] err = decrypt ? ctx->type->decrypt(ctx->tfm, psrc, pdst, src_len, piv) : ctx->type->encrypt(ctx->tfm, psrc, pdst, src_len, piv); The crypto backend expects pdst to be large enough with a src_len length that can be written. Add an additional src_len > dst_len check and bail out if it's the case. Note that these kfuncs are accessible under root privileges only.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2025-12-12
Generated
2026-05-07
AI Q&A
2025-10-01
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39917
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.10 (inc) to 6.12.48 (exc)
linux linux_kernel From 6.13 (inc) to 6.16.8 (exc)
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an out-of-bounds (OOB) write issue in the Linux kernel's bpf_crypto_crypt function. It occurs because the size of the destination dynamic pointer (dynptr) is not checked to ensure it is at least as large as the source dynptr before performing a write operation. If the destination is smaller than the source, writing data can overflow the destination buffer, potentially corrupting memory.


How can this vulnerability impact me? :

The vulnerability can lead to memory corruption due to out-of-bounds writes when the destination buffer is smaller than the source buffer during cryptographic operations in the kernel. Since these functions are accessible only with root privileges, exploitation could allow an attacker with root access to cause system instability, crashes, or potentially execute arbitrary code within the kernel context.


What immediate steps should I take to mitigate this vulnerability?

Since the vulnerability involves an out-of-bounds write in the Linux kernel's bpf_crypto_crypt function, which is accessible only under root privileges, immediate mitigation steps include updating the Linux kernel to a version where this issue is fixed. Avoid running untrusted BPF programs with root privileges until the patch is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart