{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: audit: fix out-of-bounds read in audit_compare_dname_path()",
    "id" : "2396936",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2396936"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\naudit: fix out-of-bounds read in audit_compare_dname_path()\nWhen a watch on dir=/ is combined with an fsnotify event for a\nsingle-character name directly under / (e.g., creating /a), an\nout-of-bounds read can occur in audit_compare_dname_path().\nThe helper parent_len() returns 1 for \"/\". In audit_compare_dname_path(),\nwhen parentlen equals the full path length (1), the code sets p = path + 1\nand pathlen = 1 - 1 = 0. The subsequent loop then dereferences\np[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.\nFix this by adding a pathlen > 0 check to the while loop condition\nto prevent the out-of-bounds access.\n[PM: subject tweak, sign-off email fixes]", "An out of bounds read exists in the linux kernel such that \nwhen a watch on dir=/ is combined with an fsnotify event for a\nsingle-character name directly under root an\nout-of-bounds read can occur in audit_compare_dname_path()." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-01-12T00:00:00Z",
    "advisory" : "RHSA-2026:0453",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.27.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-12T00:00:00Z",
    "advisory" : "RHSA-2026:0445",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.20.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-12T00:00:00Z",
    "advisory" : "RHSA-2026:0445",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.20.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-39840\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39840\nhttps://lore.kernel.org/linux-cve-announce/2025091902-CVE-2025-39840-bad6@gregkh/T" ],
  "name" : "CVE-2025-39840",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}