DEBIAN-CVE-2025-39917
- Source
- https://security-tracker.debian.org/tracker/CVE-2025-39917
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-39917.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-39917
- Upstream
- Published
- 2025-10-01T08:15:34.887Z
- Modified
- 2026-04-28T20:30:08.535222Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds dynptr write in bpfcryptocrypt Stanislav reported that in bpfcryptocrypt() the destination dynptr's size is not validated to be at least as large as the source dynptr's size before calling into the crypto backend with 'len = src_len'. This can result in an OOB write when the destination is smaller than the source. Concretely, in mentioned function, psrc and pdst are both linear buffers fetched from each dynptr: psrc = __bpfdynptrdata(src, src_len); [...] pdst = _bpfdynptrdatarw(dst, dstlen); [...] err = decrypt ? ctx->type->decrypt(ctx->tfm, psrc, pdst, srclen, piv) : ctx->type->encrypt(ctx->tfm, psrc, pdst, srclen, piv); The crypto backend expects pdst to be large enough with a srclen length that can be written. Add an additional srclen > dstlen check and bail out if it's the case. Note that these kfuncs are accessible under root privileges only.
- References
Affected packages
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.16.8-1