CVE-2025-21654: ovl: support encoding fid from inode with no alias
First published: Sun Jan 19 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: ovl: support encoding fid from inode with no alias Dmitry Safonov reported that a WARN_ON() assertion can be trigered by userspace when calling inotify_show_fdinfo() for an overlayfs watched inode, whose dentry aliases were discarded with drop_caches. The WARN_ON() assertion in inotify_show_fdinfo() was removed, because it is possible for encoding file handle to fail for other reason, but the impact of failing to encode an overlayfs file handle goes beyond this assertion. As shown in the LTP test case mentioned in the link below, failure to encode an overlayfs file handle from a non-aliased inode also leads to failure to report an fid with FAN_DELETE_SELF fanotify events. As Dmitry notes in his analyzis of the problem, ovl_encode_fh() fails if it cannot find an alias for the inode, but this failure can be fixed. ovl_encode_fh() seldom uses the alias and in the case of non-decodable file handles, as is often the case with fanotify fid info, ovl_encode_fh() never needs to use the alias to encode a file handle. Defer finding an alias until it is actually needed so ovl_encode_fh() will not fail in the common case of FAN_DELETE_SELF fanotify events.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | ||
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.128-1 6.12.20-1 6.12.21-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/3c7c90274ae339e1ad443c9be1c67a20b80b9c76
- https://git.kernel.org/stable/c/c45beebfde34aa71afbc48b2c54cdda623515037
- https://git.kernel.org/stable/c/f0c0ac84de17c37e6e84da65fb920f91dada55ad
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21654
- https://nvd.nist.gov/vuln/detail/CVE-2025-21654
- https://launchpad.net/bugs/cve/CVE-2025-21654
- https://security-tracker.debian.org/tracker/CVE-2025-21654
- https://ubuntu.com/security/CVE-2025-21654
- https://git.kernel.org/linus/c45beebfde34aa71afbc48b2c54cdda623515037
Frequently Asked Questions
What is the severity of CVE-2025-21654?
CVE-2025-21654 is considered a moderate severity vulnerability due to the potential for user-level exploitation.
How do I fix CVE-2025-21654?
To fix CVE-2025-21654, upgrade to the latest stable release of the Linux kernel that includes the patch.
What systems are affected by CVE-2025-21654?
CVE-2025-21654 affects various versions of the Linux kernel that utilize the overlay filesystem.
Can CVE-2025-21654 be exploited remotely?
CVE-2025-21654 is not typically exploitable remotely as it requires local access to the affected system.
What does the warning in CVE-2025-21654 indicate?
The warning in CVE-2025-21654 indicates that an assertion in the kernel was triggered, potentially leading to instability or unexpected behavior.
- agent/first-publish-date
- agent/type
- agent/title
- agent/author
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/guess-ai
- agent/software-canonical-lookup
- collector/nvd-cve
- collector/security-tracker-debian
- source/Debian
- agent/source
- agent/references
- agent/softwarecombine
- agent/description
- agent/event
- agent/tags
- collector/launchpad-cve
- source/Launchpad
- vendor/linux
- canonical/linux kernel
- package-manager/debian