CVE-2025-39683— tracing: Limit access to parser->buffer when trace_get_user failed
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-39683
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
tracing: Limit access to parser->buffer when trace_get_user failed
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Limit access to parser->buffer when trace_get_user failed When the length of the string written to set_ftrace_filter exceeds FTRACE_BUFF_MAX, the following KASAN alarm will be triggered: BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0 Read of size 1 at addr ffff0000d00bd5ba by task ash/165 CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x34/0x50 (C) dump_stack_lvl+0xa0/0x158 print_address_description.constprop.0+0x88/0x398 print_report+0xb0/0x280 kasan_report+0xa4/0xf0 __asan_report_load1_noabort+0x20/0x30 strsep+0x18c/0x1b0 ftrace_process_regex.isra.0+0x100/0x2d8 ftrace_regex_release+0x484/0x618 __fput+0x364/0xa58 ____fput+0x28/0x40 task_work_run+0x154/0x278 do_notify_resume+0x1f0/0x220 el0_svc+0xec/0xf0 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1ac/0x1b0 The reason is that trace_get_user will fail when processing a string longer than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0. Then an OOB access will be triggered in ftrace_regex_release-> ftrace_process_regex->strsep->strpbrk. We can solve this problem by limiting access to parser->buffer when trace_get_user failed.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于tracing模块在trace_get_user失败时未限制对parser->buffer的访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-39683
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-39683
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-09-05 · 60 CVEs total
| CVE-2025-39707 | drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities | |
| CVE-2025-39725 | mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list | |
| CVE-2025-39722 | crypto: caam - Prevent crash on suspend with iMX8QM / iMX8ULP | |
| CVE-2025-39721 | crypto: qat - flush misc workqueue during device shutdown | |
| CVE-2025-39720 | ksmbd: fix refcount leak causing resource not released | |
| CVE-2025-39723 | netfs: Fix unbuffered write error handling | |
| CVE-2025-39711 | media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls | |
| CVE-2025-39710 | media: venus: Add a check for packet size after reading from shared memory | |
| CVE-2025-39709 | media: venus: protect against spurious interrupts during probe | |
| CVE-2025-39708 | media: iris: Fix NULL pointer dereference | |
| CVE-2025-39712 | media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval | |
| CVE-2025-39706 | drm/amdkfd: Destroy KFD debugfs after destroy KFD wq | |
| CVE-2025-39705 | drm/amd/display: fix a Null pointer dereference vulnerability | |
| CVE-2025-39704 | LoongArch: KVM: Fix stack protector issue in send_ipi_data() | |
| CVE-2025-39703 | net, hsr: reject HSR frame if skb can't hold tag | |
| CVE-2025-39702 | ipv6: sr: Fix MAC comparison to be constant-time | |
| CVE-2025-39701 | ACPI: pfr_update: Fix the driver update version check | |
| CVE-2025-39700 | mm/damon/ops-common: ignore migration request to invalid nodes | |
| CVE-2025-39699 | iommu/riscv: prevent NULL deref in iova_to_phys | |
| CVE-2025-39698 | io_uring/futex: ensure io_futex_wait() cleans up properly on failure |
Showing top 20 of 60 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
Same vendor: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
V. Comments for CVE-2025-39683
No comments yet