Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access with low privileges required to open the file; sole impact is availability to SELinux policy readers, no confidentiality or integrity effect.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
selinux: allow multiple opens of /sys/fs/selinux/policy
Currently there can only be a single open of /sys/fs/selinux/policy at any time. This allows any process to block any other process from reading the kernel policy. The original motivation seems to have been a mix of preventing an inconsistent view of the policy size and preventing userspace from allocating kernel memory without bound, but this is arguably equally bad. Eliminate the policy_opened flag and shrink the critical section that the policy mutex is held. While we are making changes here, drop a couple of extraneous BUG_ONs.
AnalysisAI
Local denial-of-service in the Linux kernel's SELinux subsystem allows any low-privileged local process to monopolize the /sys/fs/selinux/policy file descriptor, blocking all other processes from reading the active kernel policy. The root cause is a policy_opened flag that enforced a single-open restriction on the SELinux policy pseudofile - originally intended to prevent inconsistent reads or unbounded kernel memory allocation, but which also created a trivial resource-starvation primitive. No active exploitation has been identified (not in CISA KEV), and the EPSS score of 0.02% places this in the 5th percentile for exploitation likelihood.
Technical ContextAI
The affected component is the SELinux pseudo-filesystem, specifically the /sys/fs/selinux/policy file exposed via the kernel's selinuxfs. The code maintained a policy_opened boolean flag that permitted only one concurrent opener at a time, enforced under the policy mutex. While the intent was to present a consistent snapshot of policy size to userspace and avoid indefinite kernel memory commitment, the implementation created a denial-of-service window: any process holding the file open would exhaust the single-open slot, starving security tools (e.g., sesearch, audit2allow, policy loaders) that need to read the policy. The patch eliminates policy_opened, shrinks the critical section held under the policy mutex, and removes two extraneous BUG_ON assertions. The CWE is not formally assigned, but this maps closely to CWE-667 (Improper Locking) or CWE-400 (Uncontrolled Resource Consumption). Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* covering kernel versions from commit 1da177e4c3f4 up to the fix commits.
RemediationAI
The primary fix is to upgrade the Linux kernel to version 7.0.7 (stable) or 7.1-rc3 (release candidate), which contain commits 714362f3779dfa453a78ced32396a72726962a41 and a02cd6805562305f936e807da83e253b719dd995 respectively - available via https://git.kernel.org/stable/c/714362f3779dfa453a78ced32396a72726962a41 and https://git.kernel.org/stable/c/a02cd6805562305f936e807da83e253b719dd965. Distribution maintainers should backport these commits to supported kernel stable branches. As a compensating control pending patching, access to /sys/fs/selinux/policy can be restricted using DAC permissions or a mandatory access control policy that limits which processes may open the file, reducing the pool of potential abusers - though this may break legitimate policy-introspection tooling. There are no trade-free workarounds; the only complete resolution is applying the upstream patch.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35167
GHSA-m47f-j4g8-cj3f