Skip to main content

Linux Kernel CVE-2025-68736

2025-12-24 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Lifecycle Timeline

2
Analysis Generated
Apr 02, 2026 - 12:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

landlock: Fix handling of disconnected directories

Disconnected files or directories can appear when they are visible and opened from a bind mount, but have been renamed or moved from the source of the bind mount in a way that makes them inaccessible from the mount point (i.e. out of scope).

Previously, access rights tied to files or directories opened through a disconnected directory were collected by walking the related hierarchy down to the root of the filesystem, without taking into account the mount point because it couldn't be found. This could lead to inconsistent access results, potential access right widening, and hard-to-debug renames, especially since such paths cannot be printed.

For a sandboxed task to create a disconnected directory, it needs to have write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to the underlying source of the bind mount, and read access to the related mount point. Because a sandboxed task cannot acquire more access rights than those defined by its Landlock domain, this could lead to inconsistent access rights due to missing permissions that should be inherited from the mount point hierarchy, while inheriting permissions from the filesystem hierarchy hidden by this mount point instead.

Landlock now handles files and directories opened from disconnected directories by taking into account the filesystem hierarchy when the mount point is not found in the hierarchy walk, and also always taking into account the mount point from which these disconnected directories were opened. This ensures that a rename is not allowed if it would widen access rights [1].

The rationale is that, even if disconnected hierarchies might not be visible or accessible to a sandboxed task, relying on the collected access rights from them improves the guarantee that access rights will not be widened during a rename because of the access right comparison between the source and the destination (see LANDLOCK_ACCESS_FS_REFER). It may look like this would grant more access on disconnected files and directories, but the security policies are always enforced for all the evaluated hierarchies. This new behavior should be less surprising to users and safer from an access control perspective.

Remove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and fix the related comment.

Because opened files have their access rights stored in the related file security properties, there is no impact for disconnected or unlinked files.

AnalysisAI

Linux kernel Landlock security module fails to properly enforce access controls on disconnected directories (files or directories visible through bind mounts but inaccessible from the mount point after rename/move operations), potentially widening access rights and causing inconsistent access results when sandboxed tasks interact with such paths. The vulnerability affects the Landlock mandatory access control framework's ability to prevent privilege escalation through filesystem operations on out-of-scope paths, requiring the sandboxed task to already possess write access to the bind mount source and read access to the mount point to trigger the issue.

Technical ContextAI

Landlock is a Linux kernel security module that implements a mandatory access control (MAC) framework for filesystem operations using a hierarchical domain-based permission model. The vulnerability exists in the access rights collection mechanism used when evaluating filesystem operations on files or directories opened through a bind mount that have been subsequently renamed or moved outside the accessible scope of that mount. The root cause involves improper handling of the filesystem hierarchy walk in collect_domain_accesses() when a mount point cannot be found during traversal, leading to inconsistent rights inheritance from hidden filesystem hierarchies rather than from the proper mount point context. The fix involves modifying the access rights evaluation to account for both the filesystem hierarchy and the mount point from which disconnected directories were originally opened, ensuring that the LANDLOCK_ACCESS_FS_REFER permission check prevents access right widening during rename operations. The CWE is not explicitly stated but the issue relates to improper access control validation and information disclosure through inconsistent permission enforcement.

Affected ProductsAI

The vulnerability affects the Linux kernel Landlock security module across all versions prior to the fix commits. The issue impacts any Linux distribution or system using Landlock for mandatory access control enforcement, including containerization platforms (systemd-nspawn, OCI runtimes) and sandboxing solutions that rely on Landlock. Specific affected versions are those in the Linux kernel stable branches prior to commit 426d5b681b2f3339ff04da39b81d71176dc8c87c (referenced in kernel.org stable tree), commit 49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1, and commit cadb28f8b3fd6908e3051e86158c65c3a8e1c907. The CPE for affected products would be cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* with version constraints dependent on specific stable branch release dates.

RemediationAI

Update the Linux kernel to a patched stable release incorporating commits 426d5b681b2f3339ff04da39b81d71176dc8c87c, 49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1, or cadb28f8b3fd6908e3051e86158c65c3a8e1c907, available via https://git.kernel.org/stable. For users on specific Linux distributions, apply kernel security updates from your distribution's repository (Ubuntu, Debian, Red Hat, etc.) that incorporate these Landlock fixes. No workaround exists for mitigating the access control inconsistency without kernel patching; organizations relying on Landlock for security should prioritize kernel updates. Verify that any Landlock-dependent containerization or sandboxing tools are updated to run on the patched kernel version, and re-evaluate security policies to ensure they account for corrected access right enforcement on disconnected paths.

CVE-2022-0847 HIGH POC
7.8 Mar 10

Linux kernel contains a flaw known as 'Dirty Pipe' where improper pipe buffer flag initialization allows unprivileged lo

CVE-2015-1328 HIGH POC
7.8 Nov 28

The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does no

CVE-2017-7308 HIGH POC
7.8 Mar 29

The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate cer

CVE-2017-16995 HIGH POC
7.8 Dec 27

The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial

CVE-2017-1000112 HIGH POC
7.0 Oct 05

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. Rated high severity (CVSS 7.0). Public ex

CVE-2015-8660 MEDIUM POC
6.7 Dec 28

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr op

CVE-2012-0056 MEDIUM POC
6.9 Jan 27

The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when

CVE-2014-0038 MEDIUM POC
6.9 Feb 06

The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allo

CVE-2016-8655 HIGH POC
7.8 Dec 08

Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cau

CVE-2016-0728 HIGH POC
7.8 Feb 08

The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object ref

CVE-2017-0561 CRITICAL POC
9.8 Apr 07

A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary

CVE-2022-2588 MEDIUM POC
5.3 Jan 08

It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the h

Share

CVE-2025-68736 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy