{ "affected": [ { "ecosystem_specific": { "urgency": "not yet assigned" }, "package": { "ecosystem": "Debian:13", "name": "linux" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "6.12.48-1" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "not yet assigned" }, "package": { "ecosystem": "Debian:14", "name": "linux" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "6.16.8-1" } ], "type": "ECOSYSTEM" } ] } ], "details": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt Stanislav reported that in bpf_crypto_crypt() the destination dynptr's size is not validated to be at least as large as the source dynptr's size before calling into the crypto backend with 'len = src_len'. This can result in an OOB write when the destination is smaller than the source. Concretely, in mentioned function, psrc and pdst are both linear buffers fetched from each dynptr: psrc = __bpf_dynptr_data(src, src_len); [...] pdst = __bpf_dynptr_data_rw(dst, dst_len); [...] err = decrypt ? ctx-\u003etype-\u003edecrypt(ctx-\u003etfm, psrc, pdst, src_len, piv) : ctx-\u003etype-\u003eencrypt(ctx-\u003etfm, psrc, pdst, src_len, piv); The crypto backend expects pdst to be large enough with a src_len length that can be written. Add an additional src_len \u003e dst_len check and bail out if it's the case. Note that these kfuncs are accessible under root privileges only.", "id": "DEBIAN-CVE-2025-39917", "modified": "2026-04-28T19:48:12.231967788Z", "published": "2025-10-01T08:15:34.887Z", "references": [ { "type": "ADVISORY", "url": "https://security-tracker.debian.org/tracker/CVE-2025-39917" } ], "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "upstream": [ "CVE-2025-39917" ] }