Cyber Resilience

CVE-2025-21887

High

Published: 27 March 2025

Published
27 March 2025
Modified
06 December 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21887 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-21887 is a use-after-free (UAF) vulnerability in the Linux kernel's overlayfs (ovl) filesystem implementation. The issue occurs in the ovl_dentry_update_reval() function, where dput(upper) is called prematurely before the upper dentry's d_flags are accessed in ovl_dentry_remote(), leading to a slab-use-after-free as detected by KASAN. This affects the ovl_link_up() path during copy-up operations, such as in ovl_copy_up_one(), ovl_copy_up_flags(), and ovl_rename(). The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Exploitation involves triggering overlayfs operations like rename or link-up that invoke the affected code paths, potentially leading to arbitrary code execution, data corruption, or kernel crashes due to the high impacts on confidentiality, integrity, and availability.

Mitigation requires updating to patched Linux kernel versions, as detailed in the upstream stable commit references. Key fixes include commits such as 3594aad97e7b (general ovl fix), 4b49d939b5a7 (ovl_dentry_update_reval adjustment), 60b4b5c1277f, 64455c8051c3, and a7c41830ffcd, which move dput(upper) after its final use in ovl_link_up to prevent the UAF. Security practitioners should apply these stable backports to affected kernel releases promptly.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after…

more

its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK>

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Linux kernel UAF in overlayfs directly enables local privilege escalation via exploitation of the vulnerable code paths during copy-up/rename operations, leading to arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.14 · 5.10.188 — 5.11 · 5.15.121 — 5.15.179 · 6.1.39 — 6.1.130

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the Linux kernel to fix the use-after-free in overlayfs ovl_dentry_update_reval as detailed in upstream commits.

prevent

Implements kernel memory protections like KASLR, SMEP, and SMAP to hinder exploitation of the UAF even in unpatched systems.

detect

Vulnerability scanning identifies CVE-2025-21887 in kernel versions, triggering remediation to prevent exploitation via overlayfs operations.

References