CVE-2025-71197
w1: therm: Fix off-by-one buffer overflow in alarms_store
Vexday Risk Score
3Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS —EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
04 feb 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
In the Linux kernel, the following vulnerability has been resolved:
w1: therm: Fix off-by-one buffer overflow in alarms_store
The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
bytes and a NUL terminator is appended. However, the 'size' argument
does not account for this extra byte. The original code then allocated
'size' bytes and used strcpy() to copy 'buf', which always writes one
byte past the allocated buffer since strcpy() copies until the NUL
terminator at index 'size'.
Fix this by parsing the 'buf' parameter directly using simple_strtoll()
without allocating any intermediate memory or string copying. This
removes the overflow while simplifying the code.
Productos afectados
Linux · LinuxReferencias
https://git.kernel.org/stable/c/060b08d72a38b158a7f850d4b83c17c2969e0f6bhttps://git.kernel.org/stable/c/49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95https://git.kernel.org/stable/c/6a5820ecfa5a76c3d3e154802c8c15f391ef442ehttps://git.kernel.org/stable/c/6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0https://git.kernel.org/stable/c/761fcf46a1bd797bd32d23f3ea0141ffd437668ahttps://git.kernel.org/stable/c/b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cfhttps://git.kernel.org/stable/c/e6b2609af21b5cccc9559339591b8a2cbf884169