- Vulnerability/
- CVE-2025-21691
CVE-2025-21691: cachestat: fix page cache statistics permission checking
First published: Mon Feb 10 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: cachestat: fix page cache statistics permission checking When the 'cachestat()' system call was added in commit cf264e1329fb ("cachestat: implement cachestat syscall"), it was meant to be a much more convenient (and performant) version of mincore() that didn't need mapping things into the user virtual address space in order to work. But it ended up missing the "check for writability or ownership" fix for mincore(), done in commit 134fca9063ad ("mm/mincore.c: make mincore() more conservative"). This just adds equivalent logic to 'cachestat()', modified for the file context (rather than vma).
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | ||
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.135-1 6.12.22-1 6.12.25-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/5f537664e705b0bf8b7e329861f20128534f6a83
- https://git.kernel.org/stable/c/780ab8329672464984cf1344bd5c3993af0226c7
- https://git.kernel.org/stable/c/7d6405c13b0d8a8367cd8df63f118b619a3f0dd2
- https://git.kernel.org/stable/c/97153a05077f618f7471f50a78158602badccb30
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21691
- https://nvd.nist.gov/vuln/detail/CVE-2025-21691
- https://launchpad.net/bugs/cve/CVE-2025-21691
- https://security-tracker.debian.org/tracker/CVE-2025-21691
- https://ubuntu.com/security/CVE-2025-21691
- https://git.kernel.org/linus/5f537664e705b0bf8b7e329861f20128534f6a83
Frequently Asked Questions
What is the severity of CVE-2025-21691?
CVE-2025-21691 has been classified with a medium severity level due to possible permission issues in the page cache statistics.
How do I fix CVE-2025-21691?
To fix CVE-2025-21691, update your Linux kernel to the latest stable version that includes the patch for this vulnerability.
What systems are affected by CVE-2025-21691?
CVE-2025-21691 affects the Linux kernel, specifically versions that include the 'cachestat()' system call.
What is the nature of the vulnerability identified in CVE-2025-21691?
CVE-2025-21691 involves improper permission checking in the 'cachestat()' system call, which could lead to unauthorized access to cache statistics.
When was CVE-2025-21691 reported?
CVE-2025-21691 was reported following the implementation of the 'cachestat()' system call in the Linux kernel.
- agent/title
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/author
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-cve
- agent/references
- agent/source
- agent/softwarecombine
- agent/tags
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- vendor/linux
- canonical/linux kernel
- package-manager/debian