KernelScan.io

HIGH

ima BprmCheck OOB

CVE-2025-71306

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI3.3LOW

01

In the Linux kernel, the following vulnerability has been resolved: ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec() KASAN reported a stack-out-of-bounds access in ima_appraise_measurement from is_bprm_creds_for_exec: BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0 Read of size 1 at addr ffffc9000160f940 by task sudo/550 The buggy address belongs to stack of task sudo/550 and is located at offset 24 in frame: ima_appraise_measurement+0x0/0x16a0 This frame has 2 objects: [48, 56) 'file' [80, 148) 'hash' This is caused by using container_of on the *file pointer. This offset calculation is what triggers the stack-out-of-bounds error. In order to fix this, pass in a bprm_is_check boolean which can be set depending on how process_measurement is called. If the caller has a linux_binprm pointer and the function is BPRM_CHECK we can determine is_check and set it then. Otherwise set it to false.

02

Engine v0.2.0

Risk summary

Local users can trigger a stack out-of-bounds read in the IMA (Integrity Measurement Architecture) subsystem during file execution. The vulnerability occurs when IMA attempts to appraise file measurements using an invalid container_of calculation on a stack-allocated file pointer, causing a one-byte read of adjacent stack memory. On production kernels without KASAN, this typically results in a silent read of garbage data rather than a system crash.

Affectedsecurity/integrity/ima/ima_appraise.c (IMA subsystem)

Vulnerability analysis

The root cause is improper use of container_of() in is_bprm_creds_for_exec() to derive a linux_binprm pointer from a file pointer that was not actually embedded in that structure. This causes a stack-out-of-bounds read when the calculated offset is used to read the is_check field. The fix eliminates the container_of usage by passing a bprm_is_check boolean parameter through the call chain, set appropriately based on the calling context. Attack surface is local file execution, reachable by any user who can execute files that match the IMA appraisal policy.

03

BranchFixed inPatch commit
6.196.19.4ab3d16da982a
mainline7.0377cae9851e8