CVE-2025-68239
Lifecycle Timeline
2Description
In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.
Analysis
Linux kernel binfmt_misc module fails to restore write access to executable files when error handling closes improperly opened file descriptors, potentially causing subsequent write operations on the same file to fail and creating a denial-of-service condition for legitimate file modifications. The vulnerability affects the bm_register_write() function which uses open_exec() to open executable files with intentionally denied write permissions, but does not call exe_file_allow_write_access() before closing the file on error paths. With an EPSS score of 0.03% (8th percentile), this represents a low exploitation probability; no public exploit has been identified at time of analysis.
Technical Context
The Linux kernel binfmt_misc subsystem manages binary format handlers and uses open_exec() to safely open executable files while denying write access through do_open_execat(). The open_exec() function internally invokes deny_write_access() to prevent file modification while execution is occurring. However, error paths in bm_register_write() call filp_close() directly without first restoring write permissions via exe_file_allow_write_access(). This is a resource management issue (CWE class involving improper cleanup of resources) where the file descriptor is closed but the associated write-denial state persists in the inode structure. The root cause lies in asymmetric error handling where the deny_write_access state acquired during open_exec() is not properly reversed before file closure.
Affected Products
The Linux kernel is affected; specific version ranges are not explicitly defined in the provided data but the vulnerability exists in the binfmt_misc module across multiple stable kernel branches based on the five referenced commits. The fixes are available in stable kernel series as indicated by the git.kernel.org stable branch commits: 480ac88431703f2adbb8e6b5bd73c3f3cf9f3d7f, 6cce7bc7fac8471c832696720d9c8f2a976d9c54, 90f601b497d76f40fa66795c3ecf625b6aced9fd, e785f552ab04dbca01d31f0334f4561240b04459, and fbab8c08e1a6dbaef81e22d672a7647553101d16. Linux distributions shipping affected kernel versions prior to receiving these patches are impacted, though the exact affected kernel versions are not enumerated in the provided intelligence.
Remediation
Apply kernel updates from your Linux distribution that include the binfmt_misc write access restoration fix. Upstream patches are available via the Linux kernel stable branches referenced at https://git.kernel.org/stable/c/480ac88431703f2adbb8e6b5bd73c3f3cf9f3d7f and related commits. System administrators should prioritize kernel updates from their distribution vendor (Red Hat, Canonical, SUSE, Debian, etc.) which will backport these fixes into their supported kernel versions. Until patching is completed, the vulnerability only manifests when bm_register_write() encounters errors during binary format handler registration, so limiting use of custom binfmt_misc handlers to trusted configurations provides partial mitigation. No workaround at the application or configuration level can prevent the underlying kernel-level issue; patching is the primary remediation path.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today