{"id":"CVE-2025-39917","summary":"bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt\n\nStanislav reported that in bpf_crypto_crypt() the destination dynptr's\nsize is not validated to be at least as large as the source dynptr's\nsize before calling into the crypto backend with 'len = src_len'. This\ncan result in an OOB write when the destination is smaller than the\nsource.\n\nConcretely, in mentioned function, psrc and pdst are both linear\nbuffers fetched from each dynptr:\n\n  psrc = __bpf_dynptr_data(src, src_len);\n  [...]\n  pdst = __bpf_dynptr_data_rw(dst, dst_len);\n  [...]\n  err = decrypt ?\n        ctx-\u003etype-\u003edecrypt(ctx-\u003etfm, psrc, pdst, src_len, piv) :\n        ctx-\u003etype-\u003eencrypt(ctx-\u003etfm, psrc, pdst, src_len, piv);\n\nThe crypto backend expects pdst to be large enough with a src_len length\nthat can be written. Add an additional src_len \u003e dst_len check and bail\nout if it's the case. Note that these kfuncs are accessible under root\nprivileges only.","modified":"2026-03-20T12:43:06.433570Z","published":"2025-10-01T07:44:39.423Z","related":["SUSE-SU-2026:20012-1","SUSE-SU-2026:20015-1","SUSE-SU-2026:20021-1","openSUSE-SU-2025:20172-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39917.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0126358df12d6f476f79251d9c398ac5c1b3062d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c4be24ef0510c146dca4671effb127e97631534b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f9bb6ffa7f5ad0f8ee0f53fc4a10655872ee4a14"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39917.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39917"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3e1c6f35409f9e447bf37f64840f5b65576bfb78"},{"fixed":"0126358df12d6f476f79251d9c398ac5c1b3062d"},{"fixed":"c4be24ef0510c146dca4671effb127e97631534b"},{"fixed":"f9bb6ffa7f5ad0f8ee0f53fc4a10655872ee4a14"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39917.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}