CVE-2025-39817 in Linux
Summary
by MITRE • 09/16/2025
In the Linux kernel, the following vulnerability has been resolved:
efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
Observed on kernel 6.6 (present on master as well):
BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu_op_compare+0x178/0x218 __d_lookup_rcu+0x1f8/0x228 d_alloc_parallel+0x150/0x648 lookup_open.isra.0+0x5f0/0x8d0 open_last_lookups+0x264/0x828 path_openat+0x130/0x3f8 do_filp_open+0x114/0x248 do_sys_openat2+0x340/0x3c0 __arm64_sys_openat+0x120/0x1a0
If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become negative, leadings to oob. The issue can be triggered by parallel lookups using invalid filename:
T1 T2 lookup_open ->lookup simple_lookup d_add // invalid dentry is added to hash list
lookup_open d_alloc_parallel __d_lookup_rcu __d_lookup_rcu_op_compare hlist_bl_for_each_entry_rcu // invalid dentry can be retrieved ->d_compare efivarfs_d_compare // oob
Fix it by checking 'guid' before cmp.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/24/2026
The vulnerability CVE-2025-39817 resides within the Linux kernel's efivarfs filesystem implementation, specifically in the efivarfs_d_compare function where a slab-out-of-bounds memory access occurs due to improper validation of variable lengths during directory lookups. This flaw manifests as a kernel address sanitizer (KASAN) error during a memcmp operation, indicating that memory is being accessed beyond the allocated slab boundaries. The issue is particularly concerning because it can be triggered through parallel filesystem lookups involving invalid filenames, making it exploitable in scenarios where concurrent access patterns are present. The vulnerability is present in kernel version 6.6 and affects the master branch, indicating a persistent flaw across kernel development lines.
The technical root cause stems from a logic error in how the efivarfs_d_compare function handles the comparison of directory entry names against EFI variable GUID lengths. When a directory entry's name length is less than EFI_VARIABLE_GUID_LEN, the calculation of the 'guid' variable becomes negative, which subsequently leads to out-of-bounds memory access during the memcmp operation. This occurs because the function does not properly validate the bounds of the data being compared before performing memory operations, creating a classic buffer overflow scenario within kernel space. The flaw is particularly insidious as it leverages the concurrent nature of filesystem lookups to expose the vulnerability through race conditions in the dentry hash list management.
The operational impact of this vulnerability extends beyond simple memory corruption, as it represents a potential pathway for privilege escalation and system instability. Attackers can exploit this weakness by orchestrating parallel filesystem lookups with malformed filenames, triggering the out-of-bounds memory access that could lead to kernel memory corruption. This type of vulnerability aligns with CWE-121, which addresses stack-based buffer overflow conditions, and more specifically with CWE-787, which covers out-of-bounds write operations. The attack surface is particularly relevant in environments where multiple processes access EFI variables simultaneously, such as in secure boot implementations or systems with complex firmware interactions.
The fix for this vulnerability involves implementing a proper bounds check on the 'guid' variable before any comparison operations occur within the efivarfs_d_compare function. This mitigation strategy directly addresses the core issue by preventing negative index calculations that lead to out-of-bounds memory access. From an ATT&CK perspective, this vulnerability could be categorized under T1068, which deals with exploit for privilege escalation, and T1499, covering network denial of service through resource exhaustion. The remediation approach follows standard kernel security practices for preventing memory safety issues, emphasizing the importance of input validation and bounds checking in kernel-space operations. System administrators should prioritize applying the kernel patch that resolves this issue, particularly in environments where concurrent filesystem access patterns are common, as the vulnerability can lead to system crashes or potentially exploitable memory corruption conditions.