CVE-2025-68212

Vulnerability

Analysis

In the Linux kernel's statmount_string() function, most flag cases assign an output offset pointer (offp) which is later updated with the string offset. However, the STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set struct fields instead of using offp, leaving offp uninitialized. This leads to a possible uninitialized dereference when *offp is updated later in the function [1].

Exploitation

An attacker could potentially trigger this vulnerability by invoking a system call that uses statmount_string() with the UIDMAP or GIDMAP flags. The uninitialized offp pointer may point to arbitrary kernel memory, and the subsequent write to *offp could corrupt kernel data or cause a crash. No authentication is required if the attacker can make the relevant system call from userspace.

Impact

Successful exploitation could lead to kernel memory corruption, denial of service (system crash), or potentially privilege escalation if the attacker can be achieved if the attacker can control the uninitialized pointer value. The vulnerability is fixed by assigning offp for UIDMAP and GIDMAP cases, making the code path consistent with other flags [1].

Mitigation

The fix has been applied in the Linux kernel stable tree as commit 0778ac7df5137d5041783fadfc201f8fd55a1d9b [1]. Users should update their kernels to include this patch. No workaround is available other than applying the patch.