CVE-2025-71197 in Linux
Summary
by MITRE • 02/04/2026
In the Linux kernel, the following vulnerability has been resolved:
w1: therm: Fix off-by-one buffer overflow in alarms_store
The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'.
Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/30/2026
The vulnerability CVE-2025-71197 represents a critical buffer overflow condition within the Linux kernel's One-Wire subsystem, specifically affecting the thermal alarm management functionality. This issue resides in the w1 therm driver component responsible for handling temperature monitoring through One-Wire bus devices. The flaw manifests in the alarms_store() function which processes sysfs buffer inputs for configuring temperature alarms. The vulnerability is classified as an off-by-one error that creates a classic buffer overflow scenario, making it susceptible to potential exploitation by malicious actors who could manipulate system memory through crafted input data.
The technical implementation flaw stems from a fundamental miscalculation in memory allocation and string handling within the kernel's device driver interface. When processing alarm configuration data through sysfs, the code allocates memory using 'size + 1' bytes to accommodate a null terminator as intended, yet the size parameter calculation fails to account for this additional byte in the allocation logic. This discrepancy creates a scenario where the actual memory allocation uses only 'size' bytes while strcpy() operations attempt to copy data that includes the null terminator at position 'size', effectively writing one byte beyond the allocated buffer boundaries. This classic buffer overflow vulnerability directly violates the principle of proper memory management and string handling in kernel space operations.
The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling privilege escalation and system instability within kernel contexts. Attackers could exploit this vulnerability by crafting malicious input data through the sysfs interface, causing the kernel to write beyond allocated memory regions and potentially overwrite critical kernel structures or data. The vulnerability affects systems utilizing One-Wire temperature sensors where thermal alarm configurations are managed through the kernel's sysfs interface, particularly impacting embedded systems, servers, and IoT devices that rely on kernel-level temperature monitoring capabilities. The exploitation could lead to system crashes, denial of service conditions, or in more sophisticated scenarios, arbitrary code execution within kernel space.
The mitigation strategy implemented in the fix addresses the root cause by eliminating the problematic string copying mechanism entirely. Rather than allocating intermediate memory buffers and using strcpy() operations that are prone to overflow conditions, the solution employs simple_strtoll() for direct parsing of the buffer parameter. This approach removes the need for memory allocation calculations that could lead to buffer overflows while simultaneously simplifying the code structure and reducing potential attack surface. The fix aligns with established security practices for kernel development, specifically addressing CWE-121, which covers stack-based buffer overflow conditions, and follows ATT&CK technique T1068 for privilege escalation through kernel exploits. The solution demonstrates proper defensive programming by avoiding dangerous string handling patterns and implementing robust input validation mechanisms that prevent memory corruption scenarios.
This vulnerability highlights the critical importance of proper memory management in kernel space operations, where even seemingly minor miscalculations can lead to severe security implications. The fix represents a best practice approach to kernel security by eliminating the problematic code pattern entirely rather than attempting to patch the overflow condition through additional bounds checking. The resolution demonstrates the necessity of rigorous code review processes for kernel subsystems, particularly those handling user-space interface interactions through sysfs mechanisms. The vulnerability serves as a reminder of the ongoing need for comprehensive security testing and code analysis in kernel development environments, where the consequences of memory corruption can extend far beyond simple functional failures into complete system compromise scenarios.