CVE-2025-21887: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK>
AI Analysis
Technical Summary
CVE-2025-21887 is a high-severity vulnerability in the Linux kernel's overlay filesystem (overlayfs) implementation. The flaw is a use-after-free (UAF) condition occurring in the function ovl_dentry_update_reval, specifically related to the handling of dput(upper) calls. The vulnerability arises because dput(upper) is invoked before the last access to upper->d_flags in ovl_dentry_remote, leading to a situation where memory is freed prematurely and then accessed afterward. This results in a use-after-free bug, which is a critical memory safety issue that can lead to arbitrary code execution, kernel crashes, or privilege escalation. The kernel's Kernel Address Sanitizer (KASAN) detected this slab-use-after-free in the overlayfs utility code, confirming the memory corruption. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, indicating it spans several releases. The CVSS 3.1 score of 7.8 reflects the high impact on confidentiality, integrity, and availability, with an attack vector requiring local access but low complexity and limited privileges. Exploitation does not require user interaction, and the scope is unchanged, meaning the vulnerability affects only the vulnerable component without spreading to other system components. The vulnerability is categorized under CWE-416 (Use After Free). No known exploits are currently reported in the wild, but the nature of the flaw makes it a significant risk for local attackers aiming to escalate privileges or cause denial of service on affected Linux systems using overlayfs.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Linux servers and systems that utilize overlayfs, commonly used in container environments (e.g., Docker, Kubernetes) and virtualization. Successful exploitation could allow local attackers or compromised users to escalate privileges to root, leading to full system compromise. This could result in data breaches, disruption of critical services, and loss of system integrity. Given the widespread adoption of Linux in European data centers, cloud providers, and enterprise infrastructure, the impact could be substantial. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly at risk due to the sensitivity of their data and the critical nature of their services. Additionally, the vulnerability could be leveraged to bypass security controls or persist in environments where overlayfs is used for layered filesystems, increasing the attack surface. The absence of known exploits in the wild provides a window for proactive patching, but the potential for future exploitation remains high.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions by applying the latest security updates from their Linux distribution vendors that address CVE-2025-21887. Since the vulnerability is local and requires some privileges, organizations should also enforce strict access controls and minimize the number of users with local login capabilities on critical systems. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Container environments should be reviewed to ensure overlayfs usage is necessary and alternatives considered if feasible. Monitoring system logs for unusual kernel errors or crashes related to overlayfs can provide early detection of exploitation attempts. Additionally, implementing mandatory access controls (e.g., SELinux, AppArmor) can limit the impact of a successful exploit by restricting process capabilities. Regular security audits and vulnerability scanning should include checks for kernel version compliance. Finally, organizations should maintain incident response plans that include scenarios for local privilege escalation vulnerabilities to ensure rapid containment and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-21887: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2025-21887 is a high-severity vulnerability in the Linux kernel's overlay filesystem (overlayfs) implementation. The flaw is a use-after-free (UAF) condition occurring in the function ovl_dentry_update_reval, specifically related to the handling of dput(upper) calls. The vulnerability arises because dput(upper) is invoked before the last access to upper->d_flags in ovl_dentry_remote, leading to a situation where memory is freed prematurely and then accessed afterward. This results in a use-after-free bug, which is a critical memory safety issue that can lead to arbitrary code execution, kernel crashes, or privilege escalation. The kernel's Kernel Address Sanitizer (KASAN) detected this slab-use-after-free in the overlayfs utility code, confirming the memory corruption. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, indicating it spans several releases. The CVSS 3.1 score of 7.8 reflects the high impact on confidentiality, integrity, and availability, with an attack vector requiring local access but low complexity and limited privileges. Exploitation does not require user interaction, and the scope is unchanged, meaning the vulnerability affects only the vulnerable component without spreading to other system components. The vulnerability is categorized under CWE-416 (Use After Free). No known exploits are currently reported in the wild, but the nature of the flaw makes it a significant risk for local attackers aiming to escalate privileges or cause denial of service on affected Linux systems using overlayfs.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Linux servers and systems that utilize overlayfs, commonly used in container environments (e.g., Docker, Kubernetes) and virtualization. Successful exploitation could allow local attackers or compromised users to escalate privileges to root, leading to full system compromise. This could result in data breaches, disruption of critical services, and loss of system integrity. Given the widespread adoption of Linux in European data centers, cloud providers, and enterprise infrastructure, the impact could be substantial. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly at risk due to the sensitivity of their data and the critical nature of their services. Additionally, the vulnerability could be leveraged to bypass security controls or persist in environments where overlayfs is used for layered filesystems, increasing the attack surface. The absence of known exploits in the wild provides a window for proactive patching, but the potential for future exploitation remains high.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions by applying the latest security updates from their Linux distribution vendors that address CVE-2025-21887. Since the vulnerability is local and requires some privileges, organizations should also enforce strict access controls and minimize the number of users with local login capabilities on critical systems. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Container environments should be reviewed to ensure overlayfs usage is necessary and alternatives considered if feasible. Monitoring system logs for unusual kernel errors or crashes related to overlayfs can provide early detection of exploitation attempts. Additionally, implementing mandatory access controls (e.g., SELinux, AppArmor) can limit the impact of a successful exploit by restricting process capabilities. Regular security audits and vulnerability scanning should include checks for kernel version compliance. Finally, organizations should maintain incident response plans that include scenarios for local privilege escalation vulnerabilities to ensure rapid containment and remediation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.782Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd378
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 2:26:53 PM
Last updated: 8/16/2025, 10:12:38 AM
Views: 30
Related Threats
Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.