CVE-2025-68736
Lifecycle Timeline
2Description
In the Linux kernel, the following vulnerability has been resolved: landlock: Fix handling of disconnected directories Disconnected files or directories can appear when they are visible and opened from a bind mount, but have been renamed or moved from the source of the bind mount in a way that makes them inaccessible from the mount point (i.e. out of scope). Previously, access rights tied to files or directories opened through a disconnected directory were collected by walking the related hierarchy down to the root of the filesystem, without taking into account the mount point because it couldn't be found. This could lead to inconsistent access results, potential access right widening, and hard-to-debug renames, especially since such paths cannot be printed. For a sandboxed task to create a disconnected directory, it needs to have write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to the underlying source of the bind mount, and read access to the related mount point. Because a sandboxed task cannot acquire more access rights than those defined by its Landlock domain, this could lead to inconsistent access rights due to missing permissions that should be inherited from the mount point hierarchy, while inheriting permissions from the filesystem hierarchy hidden by this mount point instead. Landlock now handles files and directories opened from disconnected directories by taking into account the filesystem hierarchy when the mount point is not found in the hierarchy walk, and also always taking into account the mount point from which these disconnected directories were opened. This ensures that a rename is not allowed if it would widen access rights [1]. The rationale is that, even if disconnected hierarchies might not be visible or accessible to a sandboxed task, relying on the collected access rights from them improves the guarantee that access rights will not be widened during a rename because of the access right comparison between the source and the destination (see LANDLOCK_ACCESS_FS_REFER). It may look like this would grant more access on disconnected files and directories, but the security policies are always enforced for all the evaluated hierarchies. This new behavior should be less surprising to users and safer from an access control perspective. Remove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and fix the related comment. Because opened files have their access rights stored in the related file security properties, there is no impact for disconnected or unlinked files.
Analysis
Linux kernel Landlock security module fails to properly enforce access controls on disconnected directories (files or directories visible through bind mounts but inaccessible from the mount point after rename/move operations), potentially widening access rights and causing inconsistent access results when sandboxed tasks interact with such paths. The vulnerability affects the Landlock mandatory access control framework's ability to prevent privilege escalation through filesystem operations on out-of-scope paths, requiring the sandboxed task to already possess write access to the bind mount source and read access to the mount point to trigger the issue.
Technical Context
Landlock is a Linux kernel security module that implements a mandatory access control (MAC) framework for filesystem operations using a hierarchical domain-based permission model. The vulnerability exists in the access rights collection mechanism used when evaluating filesystem operations on files or directories opened through a bind mount that have been subsequently renamed or moved outside the accessible scope of that mount. The root cause involves improper handling of the filesystem hierarchy walk in collect_domain_accesses() when a mount point cannot be found during traversal, leading to inconsistent rights inheritance from hidden filesystem hierarchies rather than from the proper mount point context. The fix involves modifying the access rights evaluation to account for both the filesystem hierarchy and the mount point from which disconnected directories were originally opened, ensuring that the LANDLOCK_ACCESS_FS_REFER permission check prevents access right widening during rename operations. The CWE is not explicitly stated but the issue relates to improper access control validation and information disclosure through inconsistent permission enforcement.
Affected Products
The vulnerability affects the Linux kernel Landlock security module across all versions prior to the fix commits. The issue impacts any Linux distribution or system using Landlock for mandatory access control enforcement, including containerization platforms (systemd-nspawn, OCI runtimes) and sandboxing solutions that rely on Landlock. Specific affected versions are those in the Linux kernel stable branches prior to commit 426d5b681b2f3339ff04da39b81d71176dc8c87c (referenced in kernel.org stable tree), commit 49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1, and commit cadb28f8b3fd6908e3051e86158c65c3a8e1c907. The CPE for affected products would be cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* with version constraints dependent on specific stable branch release dates.
Remediation
Update the Linux kernel to a patched stable release incorporating commits 426d5b681b2f3339ff04da39b81d71176dc8c87c, 49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1, or cadb28f8b3fd6908e3051e86158c65c3a8e1c907, available via https://git.kernel.org/stable. For users on specific Linux distributions, apply kernel security updates from your distribution's repository (Ubuntu, Debian, Red Hat, etc.) that incorporate these Landlock fixes. No workaround exists for mitigating the access control inconsistency without kernel patching; organizations relying on Landlock for security should prioritize kernel updates. Verify that any Landlock-dependent containerization or sandboxing tools are updated to run on the patched kernel version, and re-evaluate security policies to ensure they account for corrected access right enforcement on disconnected paths.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today