CVE-2025-71306 - Vulnerability Details

- ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()

Description

In the Linux kernel, the following vulnerability has been resolved:

ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()

KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
from is_bprm_creds_for_exec:

BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
Read of size 1 at addr ffffc9000160f940 by task sudo/550
The buggy address belongs to stack of task sudo/550
and is located at offset 24 in frame:
ima_appraise_measurement+0x0/0x16a0
This frame has 2 objects:
[48, 56) 'file'
[80, 148) 'hash'

This is caused by using container_of on the *file pointer. This offset
calculation is what triggers the stack-out-of-bounds error.

In order to fix this, pass in a bprm_is_check boolean which can be set
depending on how process_measurement is called. If the caller has a
linux_binprm pointer and the function is BPRM_CHECK we can determine
is_check and set it then. Otherwise set it to false.

Published: 2026-05-27

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is caused by an incorrect use of container_of on a file pointer in the IMA appraise measurement function, resulting in a stack-out-of-bounds read during is_bprm_creds_for_exec(). This out-of-bounds access can expose data stored on the kernel stack or lead to a crash when privileged code processes a binary measurement.

Affected Systems

All Linux kernel releases that contain the IMA appraiser framework before the commit inserting the bprm_is_check boolean are affected. The vulnerability applies to every distribution running an unpatched kernel that has the IMA module enabled.

Risk and Exploitability

Based on the description, it is inferred that the likely attack vector is a local attacker who can execute privileged code that triggers IMA measurement, such as via sudo or privileged binary execution. The bug is a local kernel read flaw; the EPSS score is below 1% and the flaw is not listed in the CISA KEV catalog, indicating a low to medium exploitation probability. The impact is limited to information disclosure or potential kernel instability for privileged users, with no direct remote code execution pathway reported.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`95b3cdafd7cb74414070893445a9b731793f7b55`	affected	< ab3d16da982a4ebb715d487dbf9dd66e3990d935
`95b3cdafd7cb74414070893445a9b731793f7b55`	affected	< 377cae9851e8559e9d8b82a78c1ac0abeb18839c

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[95b3cdafd7cb74414070893445a9b731793f7b55,ab3d16da982a4ebb715d487dbf9dd66e3990d935)`	affected	code_commit	—
`[95b3cdafd7cb74414070893445a9b731793f7b55,377cae9851e8559e9d8b82a78c1ac0abeb18839c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.14`	affected	generic	—
`[0,6.14)`	unaffected	generic	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that incorporates the IMA stack‑out‑of‑bounds fix
Reboot the system to load the patched kernel
As a temporary countermeasure, disable IMA enforcement by setting the kernel boot parameter ima=none or disabling the IMA subsystem through sysctl until a patch is applied

Generated by OpenCVE AI on May 29, 2026 at 05:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00189.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/377cae9851e8559e9d8b82a78c1ac0abeb18839c
https://git.kernel.org/stable/c/ab3d16da982a4ebb715d487dbf9dd66e3990d935
https://lore.kernel.org/linux-cve-announce/2026052706-CVE-2025-71306-f80c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-71306
https://www.cve.org/CVERecord?id=CVE-2025-71306

History

Fri, 29 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-125

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-823
References		https://lore.kernel.org/linux-cve-announce/2026052706-CVE-2025-71306-f80c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-71306 https://www.cve.org/CVERecord?id=CVE-2025-71306

Wed, 27 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec() KASAN reported a stack-out-of-bounds access in ima_appraise_measurement from is_bprm_creds_for_exec: BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0 Read of size 1 at addr ffffc9000160f940 by task sudo/550 The buggy address belongs to stack of task sudo/550 and is located at offset 24 in frame: ima_appraise_measurement+0x0/0x16a0 This frame has 2 objects: [48, 56) 'file' [80, 148) 'hash' This is caused by using container_of on the *file pointer. This offset calculation is what triggers the stack-out-of-bounds error. In order to fix this, pass in a bprm_is_check boolean which can be set depending on how process_measurement is called. If the caller has a linux_binprm pointer and the function is BPRM_CHECK we can determine is_check and set it then. Otherwise set it to false.
Title		ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/377cae9851e8559e9d8b82a78c1ac0abeb18839c https://git.kernel.org/stable/c/ab3d16da982a4ebb715d487dbf9dd66e3990d935

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:14:57.182Z

Updated: 2026-05-27T12:14:57.182Z

Reserved: 2026-05-08T13:14:33.088Z

Link: CVE-2025-71306

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:43.167

Modified: 2026-05-27T14:48:31.480

Link: CVE-2025-71306

Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2025-71306 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T05:15:16Z

Weaknesses

CWE-823
Use of Out-of-range Pointer Offset

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object