CVE-2025-39817: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
In the Linux kernel, the following vulnerability has been resolved:
efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
Observed on kernel 6.6 (present on master as well):
BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0
Call trace:
kasan_check_range+0xe8/0x190
__asan_loadN+0x1c/0x28
memcmp+0x98/0xd0
efivarfs_d_compare+0x68/0xd8
__d_lookup_rcu_op_compare+0x178/0x218
__d_lookup_rcu+0x1f8/0x228
d_alloc_parallel+0x150/0x648
lookup_open.isra.0+0x5f0/0x8d0
open_last_lookups+0x264/0x828
path_openat+0x130/0x3f8
do_filp_open+0x114/0x248
do_sys_openat2+0x340/0x3c0
__arm64_sys_openat+0x120/0x1a0
If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become
negative, leadings to oob. The issue can be triggered by parallel
lookups using invalid filename:
T1 T2
lookup_open
->lookup
simple_lookup
d_add
// invalid dentry is added to hash list
lookup_open
d_alloc_parallel
__d_lookup_rcu
__d_lookup_rcu_op_compare
hlist_bl_for_each_entry_rcu
// invalid dentry can be retrieved
->d_compare
efivarfs_d_compare
// oob
Fix it by checking 'guid' before cmp.
Security readout for executives and security teams
Plain-English summary
CVE-2025-39817 is a Linux kernel memory-bounds bug in efivarfs, the filesystem used for UEFI variables. A malformed short filename during parallel lookups can make the kernel compare memory outside the expected object. Public sources show it has been fixed upstream, but they do not provide CVSS, severity, or proven real-world exploitation.
Executive priority
Treat this as a kernel maintenance priority, not an emergency based on current evidence. Escalate where affected systems host untrusted local workloads, because kernel memory bugs can have serious impact even when public exploit evidence is absent.
Technical view
The flaw is in efivarfs_d_compare. If dentry->d_name.len is shorter than EFI_VARIABLE_GUID_LEN, the calculated guid offset can become negative, leading to a slab out-of-bounds read during memcmp. The reported trigger involves parallel lookups of an invalid filename after an invalid dentry is added to the hash list.
Likely exposure
Exposure is limited to Linux systems running affected kernel versions with efivarfs reachable. The CVE record lists affected Linux kernel ranges and multiple stable fixes, but does not identify affected distributions beyond linked Debian LTS advisories.
Exploitation context
No KEV listing is indicated, and the provided sources do not claim active exploitation. The CVE text describes a trigger condition using invalid filenames and parallel lookups, but does not establish remote exploitability or privilege impact.
Researcher notes
The strongest evidence is the kernel fix rationale and KASAN trace. The sources do not provide CVSS, CWE, exploit maturity, or a complete product matrix. Avoid assuming remote exposure or privilege escalation without additional vendor analysis.
Mitigation direction
Update Linux kernels to vendor-supported versions containing the efivarfs fixes.
Review Debian LTS advisories if operating affected Debian long-term support systems.
Check Linux vendor guidance for distribution-specific fixed package versions.
Prioritize faster remediation where untrusted local users or workloads can access efivarfs.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and embedded systems.
Confirm whether efivarfs is mounted or otherwise reachable on each system.
Compare running kernels against vendor advisories and fixed stable kernel releases.
Verify patched systems no longer match the affected kernel ranges.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-39817 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.