Linux Kernel
CVE-2025-68239
Lifecycle Timeline
2DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
binfmt_misc: restore write access before closing files opened by open_exec()
bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed.
However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail.
Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.
AnalysisAI
Linux kernel binfmt_misc module fails to restore write access to executable files when error handling closes improperly opened file descriptors, potentially causing subsequent write operations on the same file to fail and creating a denial-of-service condition for legitimate file modifications. The vulnerability affects the bm_register_write() function which uses open_exec() to open executable files with intentionally denied write permissions, but does not call exe_file_allow_write_access() before closing the file on error paths. With an EPSS score of 0.03% (8th percentile), this represents a low exploitation probability; no public exploit has been identified at time of analysis.
Technical ContextAI
The Linux kernel binfmt_misc subsystem manages binary format handlers and uses open_exec() to safely open executable files while denying write access through do_open_execat(). The open_exec() function internally invokes deny_write_access() to prevent file modification while execution is occurring. However, error paths in bm_register_write() call filp_close() directly without first restoring write permissions via exe_file_allow_write_access(). This is a resource management issue (CWE class involving improper cleanup of resources) where the file descriptor is closed but the associated write-denial state persists in the inode structure. The root cause lies in asymmetric error handling where the deny_write_access state acquired during open_exec() is not properly reversed before file closure.
Affected ProductsAI
The Linux kernel is affected; specific version ranges are not explicitly defined in the provided data but the vulnerability exists in the binfmt_misc module across multiple stable kernel branches based on the five referenced commits. The fixes are available in stable kernel series as indicated by the git.kernel.org stable branch commits: 480ac88431703f2adbb8e6b5bd73c3f3cf9f3d7f, 6cce7bc7fac8471c832696720d9c8f2a976d9c54, 90f601b497d76f40fa66795c3ecf625b6aced9fd, e785f552ab04dbca01d31f0334f4561240b04459, and fbab8c08e1a6dbaef81e22d672a7647553101d16. Linux distributions shipping affected kernel versions prior to receiving these patches are impacted, though the exact affected kernel versions are not enumerated in the provided intelligence.
RemediationAI
Apply kernel updates from your Linux distribution that include the binfmt_misc write access restoration fix. Upstream patches are available via the Linux kernel stable branches referenced at https://git.kernel.org/stable/c/480ac88431703f2adbb8e6b5bd73c3f3cf9f3d7f and related commits. System administrators should prioritize kernel updates from their distribution vendor (Red Hat, Canonical, SUSE, Debian, etc.) which will backport these fixes into their supported kernel versions. Until patching is completed, the vulnerability only manifests when bm_register_write() encounters errors during binary format handler registration, so limiting use of custom binfmt_misc handlers to trusted configurations provides partial mitigation. No workaround at the application or configuration level can prevent the underlying kernel-level issue; patching is the primary remediation path.
More in Linux Kernel
View allLinux kernel contains a flaw known as 'Dirty Pipe' where improper pipe buffer flag initialization allows unprivileged lo
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does no
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate cer
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. Rated high severity (CVSS 7.0). Public ex
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr op
The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allo
Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cau
The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object ref
A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the h
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today