LiveActive security incident?Get immediate response
CVE Record

CVE-2025-39817: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Observed on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu_op_compare+0x178/0x218 __d_lookup_rcu+0x1f8/0x228 d_alloc_parallel+0x150/0x648 lookup_open.isra.0+0x5f0/0x8d0 open_last_lookups+0x264/0x828 path_openat+0x130/0x3f8 do_filp_open+0x114/0x248 do_sys_openat2+0x340/0x3c0 __arm64_sys_openat+0x120/0x1a0 If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become negative, leadings to oob. The issue can be triggered by parallel lookups using invalid filename: T1 T2 lookup_open ->lookup simple_lookup d_add // invalid dentry is added to hash list lookup_open d_alloc_parallel __d_lookup_rcu __d_lookup_rcu_op_compare hlist_bl_for_each_entry_rcu // invalid dentry can be retrieved ->d_compare efivarfs_d_compare // oob Fix it by checking 'guid' before cmp.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2025-39817 is a Linux kernel memory-bounds bug in efivarfs, the filesystem used for UEFI variables. A malformed short filename during parallel lookups can make the kernel compare memory outside the expected object. Public sources show it has been fixed upstream, but they do not provide CVSS, severity, or proven real-world exploitation.

Executive priority

Treat this as a kernel maintenance priority, not an emergency based on current evidence. Escalate where affected systems host untrusted local workloads, because kernel memory bugs can have serious impact even when public exploit evidence is absent.

Technical view

The flaw is in efivarfs_d_compare. If dentry->d_name.len is shorter than EFI_VARIABLE_GUID_LEN, the calculated guid offset can become negative, leading to a slab out-of-bounds read during memcmp. The reported trigger involves parallel lookups of an invalid filename after an invalid dentry is added to the hash list.

Likely exposure

Exposure is limited to Linux systems running affected kernel versions with efivarfs reachable. The CVE record lists affected Linux kernel ranges and multiple stable fixes, but does not identify affected distributions beyond linked Debian LTS advisories.

Exploitation context

No KEV listing is indicated, and the provided sources do not claim active exploitation. The CVE text describes a trigger condition using invalid filenames and parallel lookups, but does not establish remote exploitability or privilege impact.

Researcher notes

The strongest evidence is the kernel fix rationale and KASAN trace. The sources do not provide CVSS, CWE, exploit maturity, or a complete product matrix. Avoid assuming remote exposure or privilege escalation without additional vendor analysis.

Mitigation direction

  • Update Linux kernels to vendor-supported versions containing the efivarfs fixes.
  • Review Debian LTS advisories if operating affected Debian long-term support systems.
  • Check Linux vendor guidance for distribution-specific fixed package versions.
  • Prioritize faster remediation where untrusted local users or workloads can access efivarfs.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and embedded systems.
  • Confirm whether efivarfs is mounted or otherwise reachable on each system.
  • Compare running kernels against vendor advisories and fixed stable kernel releases.
  • Verify patched systems no longer match the affected kernel ranges.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-39817 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
12Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
siemens-SADPADP container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxda27a24383b2b10bf6ebd0db29b325548aafecb4, da27a24383b2b10bf6ebd0db29b325548aafecb4, da27a24383b2b10bf6ebd0db29b325548aafecb4, da27a24383b2b10bf6ebd0db29b325548aafecb4, da27a24383b2b10bf6ebd0db29b325548aafecb4, da27a24383b2b10bf6ebd0db29b325548aafecb4, da27a24383b2b10bf6ebd0db29b325548aafecb4, da27a24383b2b10bf6ebd0db29b325548aafecb4, 688289c4b745c018b3449b4b4c5a2030083c8eaf, 3.8.2unaffected
LinuxLinux3.9, 0, 5.4.298, 5.10.242, 5.15.191, 6.1.150, 6.6.104, 6.12.45, 6.16.5, 6.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.