FKIE_CVE-2025-71197

Vulnerability from fkie_nvd - Published: 2026-02-04 17:16 - Updated: 2026-02-06 17:16
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: w1: therm: Fix off-by-one buffer overflow in alarms_store The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/060b08d72a38b158a7f850d4b83c17c2969e0f6b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6a5820ecfa5a76c3d3e154802c8c15f391ef442e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/761fcf46a1bd797bd32d23f3ea0141ffd437668a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e6b2609af21b5cccc9559339591b8a2cbf884169
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nw1: therm: Fix off-by-one buffer overflow in alarms_store\n\nThe sysfs buffer passed to alarms_store() is allocated with \u0027size + 1\u0027\nbytes and a NUL terminator is appended. However, the \u0027size\u0027 argument\ndoes not account for this extra byte. The original code then allocated\n\u0027size\u0027 bytes and used strcpy() to copy \u0027buf\u0027, which always writes one\nbyte past the allocated buffer since strcpy() copies until the NUL\nterminator at index \u0027size\u0027.\n\nFix this by parsing the \u0027buf\u0027 parameter directly using simple_strtoll()\nwithout allocating any intermediate memory or string copying. This\nremoves the overflow while simplifying the code."
    }
  ],
  "id": "CVE-2025-71197",
  "lastModified": "2026-02-06T17:16:20.170",
  "metrics": {},
  "published": "2026-02-04T17:16:11.633",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/060b08d72a38b158a7f850d4b83c17c2969e0f6b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6a5820ecfa5a76c3d3e154802c8c15f391ef442e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/761fcf46a1bd797bd32d23f3ea0141ffd437668a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e6b2609af21b5cccc9559339591b8a2cbf884169"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.