LiveActive security incident?Get immediate response
CVE Record

CVE-2025-71306: ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()

In the Linux kernel, the following vulnerability has been resolved: ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec() KASAN reported a stack-out-of-bounds access in ima_appraise_measurement from is_bprm_creds_for_exec: BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0 Read of size 1 at addr ffffc9000160f940 by task sudo/550 The buggy address belongs to stack of task sudo/550 and is located at offset 24 in frame: ima_appraise_measurement+0x0/0x16a0 This frame has 2 objects: [48, 56) 'file' [80, 148) 'hash' This is caused by using container_of on the *file pointer. This offset calculation is what triggers the stack-out-of-bounds error. In order to fix this, pass in a bprm_is_check boolean which can be set depending on how process_measurement is called. If the caller has a linux_binprm pointer and the function is BPRM_CHECK we can determine is_check and set it then. Otherwise set it to false.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel bug in the Integrity Measurement Architecture path. A bad pointer calculation can make the kernel read outside a stack object during process execution checks. The public record does not provide a CVSS score, impact rating, or evidence of active exploitation.

Executive priority

Handle as a kernel maintenance and exposure-management item until severity is clarified. Prioritize patch planning for Linux fleets using IMA, custom kernels, or security-sensitive execution controls, but do not treat it as actively exploited based on the provided evidence.

Technical view

KASAN reported a stack-out-of-bounds read in ima_appraise_measurement reached from is_bprm_creds_for_exec. The cause is container_of use on a file pointer during BPRM_CHECK handling. The fix changes the call flow to pass an explicit bprm_is_check boolean instead of inferring it through unsafe pointer arithmetic.

Likely exposure

Exposure is limited to Linux systems running kernels that include the affected IMA code path. The source lists Linux kernel version metadata including 6.14, 6.19.4, and 7.0, but downstream distribution exposure depends on vendor backports and packaging.

Exploitation context

The provided sources show a KASAN-discovered kernel memory safety issue and stable kernel fixes. They do not claim public exploitation, weaponized proof of concept, privilege impact, or remote reachability. The CVE is not listed as KEV in the provided bundle.

Researcher notes

The record attributes the issue to unsafe container_of-derived offset calculation on a file pointer. The published fix avoids that inference by passing explicit BPRM_CHECK context. Impact assessment is incomplete because CVSS, CWE, exploitability, and privilege consequences are not provided.

Mitigation direction

  • Inventory Linux kernel versions across servers, appliances, and images.
  • Check vendor kernel advisories for this CVE and related IMA fixes.
  • Apply vendor kernel updates that include the referenced stable commits.
  • Prioritize systems using IMA appraisal or strict execution integrity controls.
  • Track distribution backports rather than relying only on upstream version numbers.

Validation and detection

  • Confirm running kernel versions against vendor fixed package versions.
  • Review kernel changelogs for the two referenced stable commits.
  • Check whether IMA appraisal is enabled on relevant systems.
  • Monitor kernel logs for IMA or KASAN-related anomalies if available.
  • Document any unsupported or custom kernels requiring separate review.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-71306 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
3Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux95b3cdafd7cb74414070893445a9b731793f7b55, 95b3cdafd7cb74414070893445a9b731793f7b55unaffected
LinuxLinux6.14, 0, 6.19.4, 7.0affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.