CVE-2025-39926
BaseFortify
Publication date: 2025-10-01
Last updated on: 2025-12-11
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 6.9 (inc) to 6.12.48 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.16.8 (exc) |
| linux | linux_kernel | 6.17 |
| linux | linux_kernel | 6.17 |
| linux | linux_kernel | 6.17 |
| linux | linux_kernel | 6.17 |
| linux | linux_kernel | 6.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Linux kernel involves the genetlink subsystem where the genl_bind() function incorrectly invoked the bind() callback even when permission checks failed (specifically when returning -EPERM). This meant that unauthorized callers could trigger callbacks despite the syscall failing, potentially allowing actions to be performed on their behalf without proper authorization. The fix ensures that the bind() callback is only invoked after successful permission checks.
How can this vulnerability impact me? :
The vulnerability could allow unauthorized users to cause callbacks to run on their behalf, potentially leading to unauthorized actions or information disclosure within the kernel's genetlink subsystem. Although the syscall returns a failure to user space, the unauthorized invocation of callbacks could be exploited to affect system behavior or security.