CVE-2025-71306 - Vulnerability Details

- ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()

Description

In the Linux kernel, the following vulnerability has been resolved:

ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()

KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
from is_bprm_creds_for_exec:

BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
Read of size 1 at addr ffffc9000160f940 by task sudo/550
The buggy address belongs to stack of task sudo/550
and is located at offset 24 in frame:
ima_appraise_measurement+0x0/0x16a0
This frame has 2 objects:
[48, 56) 'file'
[80, 148) 'hash'

This is caused by using container_of on the *file pointer. This offset
calculation is what triggers the stack-out-of-bounds error.

In order to fix this, pass in a bprm_is_check boolean which can be set
depending on how process_measurement is called. If the caller has a
linux_binprm pointer and the function is BPRM_CHECK we can determine
is_check and set it then. Otherwise set it to false.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an out‑of‑bounds stack read caused by an incorrect use of container_of in is_bprm_creds_for_exec(). The bug can allow an attacker to read data from a kernel stack, potentially exposing sensitive information or causing a crash. It is a classic read buffer overflow (CWE‑125).

Affected Systems

All versions of the Linux kernel that include the IMA appraiser framework prior to the commit that fixed the bug are affected. The CVE has been reported for the core Linux kernel, meaning any distribution that ships the unpatched kernel is vulnerable. No specific version numbers are listed, so the issue applies to every release until the patch is applied.

Risk and Exploitability

The flaw is a local kernel read bug that does not provide remote code execution directly. The likely attack vector is local, requiring the attacker to run code that is processed by the IMA measurement function (e.g., using sudo). The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, implying low to medium exploitation probability. The impact is limited to information disclosure and potential kernel instability for privileged local users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`95b3cdafd7cb74414070893445a9b731793f7b55`	affected	< ab3d16da982a4ebb715d487dbf9dd66e3990d935
`95b3cdafd7cb74414070893445a9b731793f7b55`	affected	< 377cae9851e8559e9d8b82a78c1ac0abeb18839c

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[95b3cdafd7cb74414070893445a9b731793f7b55,ab3d16da982a4ebb715d487dbf9dd66e3990d935)`	affected	code_commit	—
`[95b3cdafd7cb74414070893445a9b731793f7b55,377cae9851e8559e9d8b82a78c1ac0abeb18839c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.14`	affected	generic	—
`[0,6.14)`	unaffected	generic	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that contains the IMA stack‑out‑of‑bounds fix
Reboot the system to load the patched kernel
As a temporary measure, disable IMA enforcement (e.g., add the kernel boot parameter ima=none or disable the IMA subsystem through sysctl) until a patch can be applied

Generated by OpenCVE AI on May 27, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/377cae9851e8559e9d8b82a78c1ac0abeb18839c
https://git.kernel.org/stable/c/ab3d16da982a4ebb715d487dbf9dd66e3990d935

History

Wed, 27 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec() KASAN reported a stack-out-of-bounds access in ima_appraise_measurement from is_bprm_creds_for_exec: BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0 Read of size 1 at addr ffffc9000160f940 by task sudo/550 The buggy address belongs to stack of task sudo/550 and is located at offset 24 in frame: ima_appraise_measurement+0x0/0x16a0 This frame has 2 objects: [48, 56) 'file' [80, 148) 'hash' This is caused by using container_of on the *file pointer. This offset calculation is what triggers the stack-out-of-bounds error. In order to fix this, pass in a bprm_is_check boolean which can be set depending on how process_measurement is called. If the caller has a linux_binprm pointer and the function is BPRM_CHECK we can determine is_check and set it then. Otherwise set it to false.
Title		ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/377cae9851e8559e9d8b82a78c1ac0abeb18839c https://git.kernel.org/stable/c/ab3d16da982a4ebb715d487dbf9dd66e3990d935

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:14:57.182Z

Updated: 2026-05-27T12:14:57.182Z

Reserved: 2026-05-08T13:14:33.088Z

Link: CVE-2025-71306

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:43.167

Modified: 2026-05-27T14:48:31.480

Link: CVE-2025-71306

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T15:45:36Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object