The Linux Kernel is the heart of countless devices and systems around the globe. Now and then, a seemingly small bug can have surprising consequences — and CVE-2025-21654 is a perfect example. In this post, we'll break down what happened, how it could affect you, and look into the technicals with code snippets and reference links. Everything here is in plain English, so you don’t need to be a kernel developer to follow along.
What is CVE-2025-21654?
CVE-2025-21654 is a vulnerability found in the Linux Kernel’s overlayfs (commonly abbreviated as ovl). This bug relates to how the kernel encodes file handles, specifically when there’s no "alias" (think: active directory entry) left for an inode after users have dropped caches. It can be triggered by a user calling inotify_show_fdinfo() on a watched inode from OverlayFS after its aliases have been discarded by actions such as echoing to /proc/sys/vm/drop_caches.
This led to a kernel warning (WARN_ON), and more seriously, it broke fanotify events (FAN_DELETE_SELF), which are vital for modern filesystem monitoring.
Background: OverlayFS and Inodes
OverlayFS lets you "stack" filesystems. For example, it’s used for Docker containers and other system images. When you remove the "aliases" (directory entries) pointing to a file (inode) — say, using drop_caches — ovl had trouble generating a file handle for that inode. This broke tools and audit functions relying on this.
How the Bug Could Be Hit
1. Setup overlayfs with watched files using inotify/fanotify.
`sh
echo 2 > /proc/sys/vm/drop_caches
`sh
cat /proc/self/fdinfo/
`
You’d hit a kernel WARN_ON(), and fanotify events like FAN_DELETE_SELF would fail to include the expected file handle info.
Old Code Snippet (Vulnerable)
struct dentry *alias = find_alias(inode);
if (!alias) {
WARN_ON(1); // This is where users pace could trigger a warning!
return -EIO;
}
New Code (Patched)
Instead of assuming an alias is always needed, the patch delays looking for an alias until it’s strictly necessary:
struct dentry *alias = NULL;
if (need_alias) {
alias = find_alias(inode);
if (!alias)
return -EIO;
}
// Otherwise, continue without alias if it’s not needed
Bottom line: Now, in normal cases such as reporting FAN_DELETE_SELF events, if the alias is gone, things still work.
Real-World Impact
- Security: No full compromise or privilege escalation, but kernel warnings are red flags and can cause process crashes or unreliable monitoring.
- Monitoring/Audit Tools: File event notification systems might silently fail to report certain events, which could confound security tools or data integrity verifications.
- Userspace Breakage: File handles for deleted/unlinked files might not be reported accurately, breaking assumptions for backup, monitoring, or container orchestration tools.
Exploit Scenario
While this isn't a remote code execution bug, here's how an attacker (or even an unprivileged user) could intentionally trigger or "exploit" this:
1. Set up OverlayFS mounts and watch files via inotify/fanotify.
2. Trigger cache drops aggressively (e.g., via repeated writes to /proc/sys/vm/drop_caches).
3. Attempt to read /proc/.../fdinfo or wait for file events — inducing kernel warnings and making notifications incomplete.
This could lead to system misbehavior or make monitoring/audit logs incomplete, potentially evading detection in specific threat models.
The assertion (WARN_ON) was removed.
- Encoding functions now defer alias lookup, only searching when absolutely needed (for decodable file handles).
Relevant Patch Commit
- Linux 6.8 patch
- LKML discussion: https://lore.kernel.org/linux-fsdevel/2fd40ca3-104e-4eef-b7d8-ef3a8b1aa07@linux.dev/
Summary Table
| Aspect | Details |
|---------------------|-----------------------------------------------------|
| Affected Kernel | 6.6 to 6.7 (and mainline before 6.8) |
| Attack Complexity | Low - User can trigger with local shell access |
| Impact | Kernel warnings, incomplete fanotify events |
| Fixed in | Linux 6.8+ |
Update your kernel to version 6.8 or newer, especially if using OverlayFS or fanotify.
- Avoid allowing untrusted code to trigger /proc/sys/vm/drop_caches or manipulate watched overlayfs inodes.
Conclusion
CVE-2025-21654 shows how subtle kernel code paths — like encoding file handles in OverlayFS — can affect system reliability. While this isn’t catastrophic, it reminds us of the complexity in modern filesystems and the importance of solid kernel hygiene.
If you’re a Linux sysadmin, container engineer, or just care about your Linux box’s health, patch up and spread the word!
Further Reading
- LTP Test Case
- OverlayFS Kernel Docs
- OverlayFS updates on Kernel Mailing List
Timeline
Published on: 01/19/2025 11:15:11 UTC
Last modified on: 05/04/2025 07:18:19 UTC