CVE-2025-71306: ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
In the Linux kernel, the following vulnerability has been resolved:
ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
from is_bprm_creds_for_exec:
BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
Read of size 1 at addr ffffc9000160f940 by task sudo/550
The buggy address belongs to stack of task sudo/550
and is located at offset 24 in frame:
ima_appraise_measurement+0x0/0x16a0
This frame has 2 objects:
[48, 56) 'file'
[80, 148) 'hash'
This is caused by using container_of on the *file pointer. This offset
calculation is what triggers the stack-out-of-bounds error.
In order to fix this, pass in a bprm_is_check boolean which can be set
depending on how process_measurement is called. If the caller has a
linux_binprm pointer and the function is BPRM_CHECK we can determine
is_check and set it then. Otherwise set it to false.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel bug in the Integrity Measurement Architecture path. A bad pointer calculation can make the kernel read outside a stack object during process execution checks. The public record does not provide a CVSS score, impact rating, or evidence of active exploitation.
Executive priority
Handle as a kernel maintenance and exposure-management item until severity is clarified. Prioritize patch planning for Linux fleets using IMA, custom kernels, or security-sensitive execution controls, but do not treat it as actively exploited based on the provided evidence.
Technical view
KASAN reported a stack-out-of-bounds read in ima_appraise_measurement reached from is_bprm_creds_for_exec. The cause is container_of use on a file pointer during BPRM_CHECK handling. The fix changes the call flow to pass an explicit bprm_is_check boolean instead of inferring it through unsafe pointer arithmetic.
Likely exposure
Exposure is limited to Linux systems running kernels that include the affected IMA code path. The source lists Linux kernel version metadata including 6.14, 6.19.4, and 7.0, but downstream distribution exposure depends on vendor backports and packaging.
Exploitation context
The provided sources show a KASAN-discovered kernel memory safety issue and stable kernel fixes. They do not claim public exploitation, weaponized proof of concept, privilege impact, or remote reachability. The CVE is not listed as KEV in the provided bundle.
Researcher notes
The record attributes the issue to unsafe container_of-derived offset calculation on a file pointer. The published fix avoids that inference by passing explicit BPRM_CHECK context. Impact assessment is incomplete because CVSS, CWE, exploitability, and privilege consequences are not provided.
Mitigation direction
Inventory Linux kernel versions across servers, appliances, and images.
Check vendor kernel advisories for this CVE and related IMA fixes.
Apply vendor kernel updates that include the referenced stable commits.
Prioritize systems using IMA appraisal or strict execution integrity controls.
Track distribution backports rather than relying only on upstream version numbers.
Validation and detection
Confirm running kernel versions against vendor fixed package versions.
Review kernel changelogs for the two referenced stable commits.
Check whether IMA appraisal is enabled on relevant systems.
Monitor kernel logs for IMA or KASAN-related anomalies if available.
Document any unsupported or custom kernels requiring separate review.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-71306 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
3Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
May 27, 2026, 12:14 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.