diff --git a/NEWS b/NEWS
index 84c070d39e..2842c436e2 100644
--- a/NEWS
+++ b/NEWS
@@ -105,6 +105,7 @@ The following bugs are resolved with this release:
   [32052] Name space violation in fortify wrappers
   [32137] libio: Attempt wide backup free only for non-legacy code
   [32470] x86: Avoid integer truncation with large cache sizes
+  [32582] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
 
 Security related changes:
 
@@ -122,6 +123,10 @@ Security related changes:
   buffer overflow, which could be exploited to achieve escalated
   privileges.  This flaw was introduced in glibc 2.34.
 
+  CVE-2025-0395: When the assert() function fails, it does not allocate
+  enough space for the assertion failure message string and size
+  information, which may lead to a buffer overflow if the message string
+  size aligns to page size.
 
 Version 2.35
 
diff --git a/assert/assert.c b/assert/assert.c
index 133a183bc3..9e55eeb473 100644
--- a/assert/assert.c
+++ b/assert/assert.c
@@ -18,6 +18,7 @@
 #include <assert.h>
 #include <atomic.h>
 #include <ldsodefs.h>
+#include <libc-pointer-arith.h>
 #include <libintl.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
       (void) __fxprintf (NULL, "%s", str);
       (void) fflush (stderr);
 
-      total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
+      total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+			GLRO(dl_pagesize));
       struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
 					MAP_ANON | MAP_PRIVATE, -1, 0);
       if (__glibc_likely (buf != MAP_FAILED))
diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
index 2ee0010b8d..dfa0780514 100644
--- a/sysdeps/posix/libc_fatal.c
+++ b/sysdeps/posix/libc_fatal.c
@@ -20,6 +20,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <ldsodefs.h>
+#include <libc-pointer-arith.h>
 #include <paths.h>
 #include <stdarg.h>
 #include <stdbool.h>
@@ -125,8 +126,8 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...)
 
       if ((action & do_abort))
 	{
-	  total = ((total + 1 + GLRO(dl_pagesize) - 1)
-		   & ~(GLRO(dl_pagesize) - 1));
+	  total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+			    GLRO(dl_pagesize));
 	  struct abort_msg_s *buf = __mmap (NULL, total,
 					    PROT_READ | PROT_WRITE,
 					    MAP_ANON | MAP_PRIVATE, -1, 0);