PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71306 Linux CVE debrief

A stack-out-of-bounds memory access vulnerability exists in the Linux kernel's Integrity Measurement Architecture (IMA) subsystem. The flaw occurs in `ima_appraise_measurement()` when `is_bprm_creds_for_exec()` incorrectly uses `container_of()` on a `*file` pointer, causing an invalid offset calculation that reads beyond allocated stack memory. KASAN detected this as a 1-byte read at an out-of-bounds stack address during `sudo` execution. The vulnerability is triggered during BPRM_CHECK operations when process measurement functions are called with a `linux_binprm` pointer. The fix introduces a `bprm_is_check` boolean parameter to properly track whether the caller has a valid `linux_binprm` pointer, eliminating the unsafe `container_of()` dereference. This is a local vulnerability requiring execution of a binary with IMA appraisal enabled.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators running IMA (Integrity Measurement Architecture) with appraisal mode enabled; security teams monitoring kernel memory safety; organizations using measured boot and runtime integrity verification

Technical summary

The vulnerability stems from improper pointer arithmetic in `is_bprm_creds_for_exec()` within `security/integrity/ima/ima_appraise.c`. The function used `container_of()` to derive a structure from a `struct file *` pointer, but the offset calculation accessed memory before the allocated stack objects. The fix adds explicit boolean tracking (`bprm_is_check`) passed through `process_measurement()` to indicate whether the caller holds a valid `linux_binprm` pointer, avoiding the unsafe dereference entirely. Two kernel stable commits address this issue.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel patches from stable branches when available
  • Enable KASAN in test environments to detect similar memory safety issues
  • Review IMA appraisal policies for critical systems
  • Monitor distribution security advisories for backported fixes
  • Validate IMA measurement logs for unexpected appraisal failures

Evidence notes

KASAN stack trace confirms out-of-bounds read in `ima_appraise_measurement+0x12dc/0x16a0` during `sudo` execution. The vulnerable frame contains two stack objects: 'file' [48,56) and 'hash' [80,148), with the buggy access at offset 24—outside both objects. Root cause identified as unsafe `container_of()` usage on `*file` pointer for offset calculation.

Official resources

2026-05-27