CVE-2025-71197 Overview
CVE-2025-71197 is an off-by-one buffer overflow in the Linux kernel's 1-Wire (w1) thermal driver, specifically in the alarms_store() sysfs handler. The kernel allocates an intermediate buffer of size bytes and then uses strcpy() to copy the sysfs input. Because strcpy() copies through the NUL terminator at index size, it writes one byte past the allocated region on every invocation. The upstream fix removes the intermediate allocation entirely and parses the input directly with simple_strtoll().
Critical Impact
Each write to the alarms sysfs attribute of a w1 therm device corrupts one byte of adjacent kernel heap memory, creating conditions for kernel memory corruption and potential local privilege escalation.
Affected Products
- Linux kernel drivers/w1/slaves/w1_therm.c (1-Wire thermal slave driver)
- Stable kernel branches receiving backports identified by commits 060b08d, 49ff9b4b, 6a5820ec, 6fd6d2a8, 761fcf4, b3fc3e1f, and e6b2609a
- Linux distributions shipping vulnerable kernels with the w1-therm module loaded
Discovery Timeline
- 2026-02-04 - CVE-2025-71197 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-71197
Vulnerability Analysis
The vulnerability resides in the alarms_store() function of the w1 therm driver, which handles writes to the alarms sysfs attribute exposed by 1-Wire temperature sensors such as the DS18B20. The sysfs core hands the store callback a buffer allocated as size + 1 bytes, with a NUL terminator written at offset size. The original handler did not account for this trailing byte. It allocated a working buffer of exactly size bytes and then called strcpy() to duplicate the input. Since strcpy() continues copying until it sees the NUL byte, it writes size + 1 bytes into a size-byte allocation, overflowing by exactly one byte every time the attribute is written. This pattern qualifies as a classic off-by-one heap overflow [CWE-193, CWE-122].
Root Cause
The root cause is an incorrect length assumption in the interaction between the sysfs store contract and strcpy(). The handler treated size as the full length of a NUL-terminated string rather than the count of payload bytes. Combined with strcpy()'s NUL-driven termination semantics, the allocation size was always one byte short of what the copy required. The fix sidesteps the issue by removing the intermediate allocation and strcpy() call, parsing the integer value directly out of the caller-supplied buffer using simple_strtoll().
Attack Vector
Exploitation requires local write access to the device's sysfs attribute at a path such as /sys/bus/w1/devices/<device-id>/alarms. Systems exposing this path to non-root users, or environments where an attacker can already execute code in a low-privileged context with access to the 1-Wire subsystem, are reachable. Each write triggers a one-byte heap overflow into the SLUB allocator slab adjacent to the working buffer, enabling kernel heap grooming techniques to corrupt neighboring object metadata.
No verified public exploit code is available. The vulnerability mechanism is documented in the upstream kernel patches; see Kernel Patch 060b08d and Kernel Patch e6b2609a for the exact source changes.
Detection Methods for CVE-2025-71197
Indicators of Compromise
- Unexpected kernel oops or slab-out-of-bounds reports from KASAN-enabled kernels referencing alarms_store in w1_therm
- Kernel log entries showing SLUB redzone or freelist corruption following writes to /sys/bus/w1/devices/*/alarms
- Unprivileged processes writing to w1 therm alarms sysfs attributes on systems where this is not expected behavior
Detection Strategies
- Audit loaded kernel modules for w1_therm and inventory hosts where the 1-Wire subsystem is active, especially embedded Linux and IoT gateways
- Enable KASAN on test and staging kernels to surface the one-byte overflow at the moment of exploitation
- Monitor auditd for open and write syscalls targeting /sys/bus/w1/devices/*/alarms from non-root UIDs
Monitoring Recommendations
- Forward kernel ring buffer (dmesg) and journald kernel facility logs to a central pipeline and alert on BUG:, KASAN, or slab-out-of-bounds strings tied to w1_therm
- Track sysfs write activity on 1-Wire device paths through eBPF-based runtime monitoring
- Correlate sysfs writes with subsequent kernel crashes or privilege boundary changes on the same host
How to Mitigate CVE-2025-71197
Immediate Actions Required
- Apply the upstream stable kernel update containing one of the fix commits (060b08d, 49ff9b4b, 6a5820ec, 6fd6d2a8, 761fcf4, b3fc3e1f, or e6b2609a) shipped by your distribution
- If patching is not immediately possible and 1-Wire thermal sensors are not in use, unload the module with modprobe -r w1_therm and blacklist it
- Restrict write permissions on /sys/bus/w1/devices/*/alarms to root only on systems where the driver must remain loaded
Patch Information
The fix replaces the vulnerable allocate-and-strcpy() pattern with direct parsing via simple_strtoll(), eliminating the intermediate buffer and the off-by-one entirely. The change has been backported across multiple stable trees. Refer to Kernel Patch 49ff9b4b, Kernel Patch 6a5820ec, Kernel Patch 6fd6d2a8, Kernel Patch 761fcf4, and Kernel Patch b3fc3e1f for the specific stable branch applicable to your kernel.
Workarounds
- Blacklist the w1_therm module on hosts that do not require 1-Wire thermal sensor support
- Tighten sysfs permissions so only root can write to the alarms attribute, reducing the attack surface to already-privileged contexts
- Enable kernel hardening options such as CONFIG_SLAB_FREELIST_HARDENED and CONFIG_FORTIFY_SOURCE to raise the cost of exploiting heap overflows
# Blacklist the vulnerable module until patching is complete
echo "blacklist w1_therm" | sudo tee /etc/modprobe.d/blacklist-w1-therm.conf
sudo modprobe -r w1_therm
# Restrict write access to the alarms sysfs attribute (root-only)
for f in /sys/bus/w1/devices/*/alarms; do
[ -e "$f" ] && sudo chmod 600 "$f"
done
# Verify the running kernel includes the fix commit
strings /boot/vmlinuz-$(uname -r) | grep -i "w1_therm"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
