CVE-2025-39840

When a watch on dir=/ is combined with an fsnotify event for a single-character name directly under / (e.g., creating /a), an out-of-bounds read can occur in auditcomparedname_path().

The helper parentlen() returns 1 for "/". In auditcomparednamepath(), when parentlen equals the full path length (1), the code sets p = path + 1 and pathlen = 1 - 1 = 0. The subsequent loop then dereferences p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.

Fix this by adding a pathlen > 0 check to the while loop condition to prevent the out-of-bounds access.

[PM: subject tweak, sign-off email fixes]

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39840.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e92eebb0d6116f942ab25dfb1a41905aa59472a8

Fixed

9735a9dcc307427e7d6336c54171682f1bac9789

Fixed

4540f1d23e7f387880ce46d11b5cd3f27248bf8d

Affected versions

v6.*

v6.13

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.16

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.16-rc6

v6.16-rc7

v6.16.1

v6.16.2

v6.16.3

v6.16.4

v6.16.5

v6.17-rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39840.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.14.0

Fixed

6.16.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39840.json"