CVE-2025-71197 (GCVE-0-2025-71197)

Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-02-09 08:36
VLAI?
Title
w1: therm: Fix off-by-one buffer overflow in alarms_store
Summary
In the Linux kernel, the following vulnerability has been resolved: w1: therm: Fix off-by-one buffer overflow in alarms_store The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < 49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95 (git)
Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < 060b08d72a38b158a7f850d4b83c17c2969e0f6b (git)
Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf (git)
Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < 6a5820ecfa5a76c3d3e154802c8c15f391ef442e (git)
Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < 6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0 (git)
Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < e6b2609af21b5cccc9559339591b8a2cbf884169 (git)
Affected: e2c94d6f572079511945e64537eb1218643f2e68 , < 761fcf46a1bd797bd32d23f3ea0141ffd437668a (git)
Create a notification for this product.
    Linux Linux Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.249 , ≤ 5.10.* (semver)
Unaffected: 5.15.199 , ≤ 5.15.* (semver)
Unaffected: 6.1.162 , ≤ 6.1.* (semver)
Unaffected: 6.6.122 , ≤ 6.6.* (semver)
Unaffected: 6.12.68 , ≤ 6.12.* (semver)
Unaffected: 6.18.8 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/w1/slaves/w1_therm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95",
              "status": "affected",
              "version": "e2c94d6f572079511945e64537eb1218643f2e68",
              "versionType": "git"
            },
            {
              "lessThan": "060b08d72a38b158a7f850d4b83c17c2969e0f6b",
              "status": "affected",
              "version": "e2c94d6f572079511945e64537eb1218643f2e68",
              "versionType": "git"
            },
            {
              "lessThan": "b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf",
              "status": "affected",
              "version": "e2c94d6f572079511945e64537eb1218643f2e68",
              "versionType": "git"
            },
            {
              "lessThan": "6a5820ecfa5a76c3d3e154802c8c15f391ef442e",
              "status": "affected",
              "version": "e2c94d6f572079511945e64537eb1218643f2e68",
              "versionType": "git"
            },
            {
              "lessThan": "6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0",
              "status": "affected",
              "version": "e2c94d6f572079511945e64537eb1218643f2e68",
              "versionType": "git"
            },
            {
              "lessThan": "e6b2609af21b5cccc9559339591b8a2cbf884169",
              "status": "affected",
              "version": "e2c94d6f572079511945e64537eb1218643f2e68",
              "versionType": "git"
            },
            {
              "lessThan": "761fcf46a1bd797bd32d23f3ea0141ffd437668a",
              "status": "affected",
              "version": "e2c94d6f572079511945e64537eb1218643f2e68",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/w1/slaves/w1_therm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.249",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.199",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.249",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.199",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.122",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.68",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.8",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nw1: therm: Fix off-by-one buffer overflow in alarms_store\n\nThe sysfs buffer passed to alarms_store() is allocated with \u0027size + 1\u0027\nbytes and a NUL terminator is appended. However, the \u0027size\u0027 argument\ndoes not account for this extra byte. The original code then allocated\n\u0027size\u0027 bytes and used strcpy() to copy \u0027buf\u0027, which always writes one\nbyte past the allocated buffer since strcpy() copies until the NUL\nterminator at index \u0027size\u0027.\n\nFix this by parsing the \u0027buf\u0027 parameter directly using simple_strtoll()\nwithout allocating any intermediate memory or string copying. This\nremoves the overflow while simplifying the code."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T08:36:22.910Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95"
        },
        {
          "url": "https://git.kernel.org/stable/c/060b08d72a38b158a7f850d4b83c17c2969e0f6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a5820ecfa5a76c3d3e154802c8c15f391ef442e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6b2609af21b5cccc9559339591b8a2cbf884169"
        },
        {
          "url": "https://git.kernel.org/stable/c/761fcf46a1bd797bd32d23f3ea0141ffd437668a"
        }
      ],
      "title": "w1: therm: Fix off-by-one buffer overflow in alarms_store",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71197",
    "datePublished": "2026-02-04T16:07:32.198Z",
    "dateReserved": "2026-01-31T11:36:51.192Z",
    "dateUpdated": "2026-02-09T08:36:22.910Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-71197\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-04T17:16:11.633\",\"lastModified\":\"2026-02-06T17:16:20.170\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nw1: therm: Fix off-by-one buffer overflow in alarms_store\\n\\nThe sysfs buffer passed to alarms_store() is allocated with \u0027size + 1\u0027\\nbytes and a NUL terminator is appended. However, the \u0027size\u0027 argument\\ndoes not account for this extra byte. The original code then allocated\\n\u0027size\u0027 bytes and used strcpy() to copy \u0027buf\u0027, which always writes one\\nbyte past the allocated buffer since strcpy() copies until the NUL\\nterminator at index \u0027size\u0027.\\n\\nFix this by parsing the \u0027buf\u0027 parameter directly using simple_strtoll()\\nwithout allocating any intermediate memory or string copying. This\\nremoves the overflow while simplifying the code.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/060b08d72a38b158a7f850d4b83c17c2969e0f6b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6a5820ecfa5a76c3d3e154802c8c15f391ef442e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/761fcf46a1bd797bd32d23f3ea0141ffd437668a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e6b2609af21b5cccc9559339591b8a2cbf884169\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.