CVE-2025-39974

Name of the Vulnerable Software and Affected Versions Linux kernel versions 6.17.0-rc6 and earlier

Description An issue exists in the Linux kernel’s tracing/osnoise component related to parsing integer limits. Specifically, the parse integer limit() function may experience a slab-out-of-bounds read when processing CPU lists provided via the write() syscall to the /sys/kernel/debug/tracing/osnoise/cpus interface. This occurs because the bitmap parselist() function requires the input buffer to be null-terminated, which was not guaranteed in the osnoise cpus write() function. The issue can be triggered by providing a CPU list string, such as "1", to the affected API endpoint. The bitmap parselist() function is used to parse the CPU list.

Recommendations Update to a newer version of the Linux kernel that addresses this issue.