vulnerability

Ubuntu: (Multiple Advisories) (CVE-2025-21654): Linux kernel vulnerabilities

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:L/AC:L/Au:S/C:N/I:N/A:C)	Jan 19, 2025	Mar 28, 2025	Sep 30, 2025

Severity

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

Jan 19, 2025

Added

Mar 28, 2025

Modified

Sep 30, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

ovl: support encoding fid from inode with no alias

Dmitry Safonov reported that a WARN_ON() assertion can be trigered by
userspace when calling inotify_show_fdinfo() for an overlayfs watched
inode, whose dentry aliases were discarded with drop_caches.

The WARN_ON() assertion in inotify_show_fdinfo() was removed, because
it is possible for encoding file handle to fail for other reason, but
the impact of failing to encode an overlayfs file handle goes beyond
this assertion.

As shown in the LTP test case mentioned in the link below, failure to
encode an overlayfs file handle from a non-aliased inode also leads to
failure to report an fid with FAN_DELETE_SELF fanotify events.

As Dmitry notes in his analyzis of the problem, ovl_encode_fh() fails
if it cannot find an alias for the inode, but this failure can be fixed.
ovl_encode_fh() seldom uses the alias and in the case of non-decodable
file handles, as is often the case with fanotify fid info,
ovl_encode_fh() never needs to use the alias to encode a file handle.

Defer finding an alias until it is actually needed so ovl_encode_fh()
will not fail in the common case of FAN_DELETE_SELF fanotify events.

Solutions

ubuntu-upgrade-linux-image-6-11-0-1007-realtimeubuntu-upgrade-linux-image-6-11-0-1010-raspiubuntu-upgrade-linux-image-6-11-0-1011-awsubuntu-upgrade-linux-image-6-11-0-1011-gcpubuntu-upgrade-linux-image-6-11-0-1011-gcp-64kubuntu-upgrade-linux-image-6-11-0-1011-lowlatencyubuntu-upgrade-linux-image-6-11-0-1011-lowlatency-64kubuntu-upgrade-linux-image-6-11-0-1012-azureubuntu-upgrade-linux-image-6-11-0-1012-azure-fdeubuntu-upgrade-linux-image-6-11-0-1013-oracleubuntu-upgrade-linux-image-6-11-0-1013-oracle-64kubuntu-upgrade-linux-image-6-11-0-1017-oemubuntu-upgrade-linux-image-6-11-0-21-genericubuntu-upgrade-linux-image-6-11-0-21-generic-64kubuntu-upgrade-linux-image-6-8-0-1012-gkeopubuntu-upgrade-linux-image-6-8-0-1016-azure-nvidiaubuntu-upgrade-linux-image-6-8-0-1025-gkeubuntu-upgrade-linux-image-6-8-0-1026-ibmubuntu-upgrade-linux-image-6-8-0-1026-oracleubuntu-upgrade-linux-image-6-8-0-1026-oracle-64kubuntu-upgrade-linux-image-6-8-0-1028-nvidiaubuntu-upgrade-linux-image-6-8-0-1028-nvidia-64kubuntu-upgrade-linux-image-6-8-0-1028-nvidia-lowlatencyubuntu-upgrade-linux-image-6-8-0-1028-nvidia-lowlatency-64kubuntu-upgrade-linux-image-6-8-0-1028-oemubuntu-upgrade-linux-image-6-8-0-1028-raspiubuntu-upgrade-linux-image-6-8-0-1029-awsubuntu-upgrade-linux-image-6-8-0-1029-azureubuntu-upgrade-linux-image-6-8-0-1029-azure-fdeubuntu-upgrade-linux-image-6-8-0-1030-gcpubuntu-upgrade-linux-image-6-8-0-1030-gcp-64kubuntu-upgrade-linux-image-6-8-0-2023-raspi-realtimeubuntu-upgrade-linux-image-6-8-0-60-genericubuntu-upgrade-linux-image-6-8-0-60-generic-64kubuntu-upgrade-linux-image-6-8-0-60-lowlatencyubuntu-upgrade-linux-image-6-8-0-60-lowlatency-64kubuntu-upgrade-linux-image-6-8-1-1022-realtimeubuntu-upgrade-linux-image-awsubuntu-upgrade-linux-image-aws-lts-24-04ubuntu-upgrade-linux-image-azureubuntu-upgrade-linux-image-azure-fdeubuntu-upgrade-linux-image-azure-fde-lts-24-04ubuntu-upgrade-linux-image-azure-lts-24-04ubuntu-upgrade-linux-image-azure-nvidiaubuntu-upgrade-linux-image-gcpubuntu-upgrade-linux-image-gcp-64kubuntu-upgrade-linux-image-gcp-64k-lts-24-04ubuntu-upgrade-linux-image-gcp-lts-24-04ubuntu-upgrade-linux-image-genericubuntu-upgrade-linux-image-generic-64kubuntu-upgrade-linux-image-generic-64k-hwe-22-04ubuntu-upgrade-linux-image-generic-64k-hwe-24-04ubuntu-upgrade-linux-image-generic-hwe-22-04ubuntu-upgrade-linux-image-generic-hwe-24-04ubuntu-upgrade-linux-image-generic-lpaeubuntu-upgrade-linux-image-gkeubuntu-upgrade-linux-image-gkeopubuntu-upgrade-linux-image-gkeop-6-8ubuntu-upgrade-linux-image-ibmubuntu-upgrade-linux-image-ibm-classicubuntu-upgrade-linux-image-ibm-lts-24-04ubuntu-upgrade-linux-image-kvmubuntu-upgrade-linux-image-lowlatencyubuntu-upgrade-linux-image-lowlatency-64kubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04ubuntu-upgrade-linux-image-lowlatency-64k-hwe-24-04ubuntu-upgrade-linux-image-lowlatency-hwe-22-04ubuntu-upgrade-linux-image-lowlatency-hwe-24-04ubuntu-upgrade-linux-image-nvidiaubuntu-upgrade-linux-image-nvidia-6-8ubuntu-upgrade-linux-image-nvidia-64kubuntu-upgrade-linux-image-nvidia-64k-6-8ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04ubuntu-upgrade-linux-image-nvidia-hwe-22-04ubuntu-upgrade-linux-image-nvidia-lowlatencyubuntu-upgrade-linux-image-nvidia-lowlatency-64kubuntu-upgrade-linux-image-oem-22-04ubuntu-upgrade-linux-image-oem-22-04aubuntu-upgrade-linux-image-oem-22-04bubuntu-upgrade-linux-image-oem-22-04cubuntu-upgrade-linux-image-oem-22-04dubuntu-upgrade-linux-image-oem-24-04ubuntu-upgrade-linux-image-oem-24-04aubuntu-upgrade-linux-image-oem-24-04bubuntu-upgrade-linux-image-oracleubuntu-upgrade-linux-image-oracle-64kubuntu-upgrade-linux-image-oracle-64k-lts-24-04ubuntu-upgrade-linux-image-oracle-lts-24-04ubuntu-upgrade-linux-image-raspiubuntu-upgrade-linux-image-raspi-realtimeubuntu-upgrade-linux-image-realtimeubuntu-upgrade-linux-image-realtime-hwe-24-04ubuntu-upgrade-linux-image-virtualubuntu-upgrade-linux-image-virtual-hwe-22-04ubuntu-upgrade-linux-image-virtual-hwe-24-04

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today