CVE-2025-21887
Published: 27 March 2025
Summary
CVE-2025-21887 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-21887 is a use-after-free (UAF) vulnerability in the Linux kernel's overlayfs (ovl) filesystem implementation. The issue occurs in the ovl_dentry_update_reval() function, where dput(upper) is called prematurely before the upper dentry's d_flags are accessed in ovl_dentry_remote(), leading to a slab-use-after-free as detected by KASAN. This affects the ovl_link_up() path during copy-up operations, such as in ovl_copy_up_one(), ovl_copy_up_flags(), and ovl_rename(). The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Exploitation involves triggering overlayfs operations like rename or link-up that invoke the affected code paths, potentially leading to arbitrary code execution, data corruption, or kernel crashes due to the high impacts on confidentiality, integrity, and availability.
Mitigation requires updating to patched Linux kernel versions, as detailed in the upstream stable commit references. Key fixes include commits such as 3594aad97e7b (general ovl fix), 4b49d939b5a7 (ovl_dentry_update_reval adjustment), 60b4b5c1277f, 64455c8051c3, and a7c41830ffcd, which move dput(upper) after its final use in ovl_link_up to prevent the UAF. Security practitioners should apply these stable backports to affected kernel releases promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8469
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after…
more
its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK>
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Linux kernel UAF in overlayfs directly enables local privilege escalation via exploitation of the vulnerable code paths during copy-up/rename operations, leading to arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of the Linux kernel to fix the use-after-free in overlayfs ovl_dentry_update_reval as detailed in upstream commits.
Implements kernel memory protections like KASLR, SMEP, and SMAP to hinder exploitation of the UAF even in unpatched systems.
Vulnerability scanning identifies CVE-2025-21887 in kernel versions, triggering remediation to prevent exploitation via overlayfs operations.