CVE-2025-39974
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit() When config osnoise cpus by write() syscall, the following KASAN splat may be observed: BUG: KASAN: slab-out-of-bounds in _parse_integer_limit+0x103/0x130 Read of size 1 at addr ffff88810121e3a1 by task test/447 CPU: 1 UID: 0 PID: 447 Comm: test Not tainted 6.17.0-rc6-dirty #288 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x55/0x70 print_report+0xcb/0x610 kasan_report+0xb8/0xf0 _parse_integer_limit+0x103/0x130 bitmap_parselist+0x16d/0x6f0 osnoise_cpus_write+0x116/0x2d0 vfs_write+0x21e/0xcc0 ksys_write+0xee/0x1c0 do_syscall_64+0xa8/0x2a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This issue can be reproduced by below code: const char *cpulist = "1"; int fd=open("/sys/kernel/debug/tracing/osnoise/cpus", O_WRONLY); write(fd, cpulist, strlen(cpulist)); Function bitmap_parselist() was called to parse cpulist, it require that the parameter 'buf' must be terminated with a '\0' or '\n'. Fix this issue by adding a '\0' to 'buf' in osnoise_cpus_write().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-16
Generated
2026-05-06
AI Q&A
2025-10-15
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39974
EUVD
EUVD-2025-34598
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.17.0-rc6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a slab-out-of-bounds error in the Linux kernel's tracing/osnoise component, specifically in the _parse_integer_limit() function. It occurs when writing to the /sys/kernel/debug/tracing/osnoise/cpus file using the write() syscall without properly null-terminating the input buffer. The function bitmap_parselist() expects the input buffer to end with a '\0' or '\n', but this was not ensured, leading to an out-of-bounds read and a potential kernel memory corruption.


How can this vulnerability impact me? :

This vulnerability can cause a kernel slab-out-of-bounds read, which may lead to kernel memory corruption, system instability, crashes, or potential escalation of privileges if exploited. It affects the stability and security of the Linux kernel when the osnoise cpus interface is written to improperly.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to write to the /sys/kernel/debug/tracing/osnoise/cpus file with a CPU list string that is not properly null-terminated, which may trigger a KASAN slab-out-of-bounds error. For example, running the following commands in a Linux environment with debugging enabled may reproduce the issue and reveal the vulnerability: 1. Open a terminal with root privileges. 2. Run: echo -n '1' > /sys/kernel/debug/tracing/osnoise/cpus If the system logs show a KASAN slab-out-of-bounds error referencing _parse_integer_limit, the vulnerability is present. Monitoring kernel logs (e.g., using dmesg) after this operation can help detect the issue.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves ensuring that any writes to /sys/kernel/debug/tracing/osnoise/cpus properly null-terminate the input buffer to prevent the slab-out-of-bounds error. Applying the patch that fixes the osnoise_cpus_write() function to add a '\0' terminator to the buffer is necessary. Until the patch is applied, avoid writing to /sys/kernel/debug/tracing/osnoise/cpus or restrict access to this interface to trusted users only.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart