CVE-2025-68239
Description
In the Linux kernel, the following vulnerability has been resolved:
binfmt_misc: restore write access before closing files opened by open_exec()
bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed.
However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail.
Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's binfmt_misc, an error path fails to restore write access to an executable file opened via open_exec(), leading to potential denial of write operations.
Root
Cause
The vulnerability resides in the bm_register_write() function of the Linux kernel's binfmt_misc module. When opening an executable file using open_exec(), the kernel internally calls do_open_execat(), which denies write access to the file to prevent modification during execution. However, if an error occurs later in bm_register_write(), the file is closed directly via filp_close() without first restoring the write permission. This leaves the file in a state where subsequent write operations are denied.
Exploitation
An attacker must be able to trigger an error condition in bm_register_write() while the function holds a file descriptor opened by open_exec(). This requires local access to the system and the ability to invoke the binfmt_misc filesystem operations, typically via writing to /proc/sys/fs/binfmt_misc/register. No special privileges are needed beyond the ability to write to that interface for the target file.
Impact
Successful exploitation results in a denial of service (DoS) for write operations on the affected executable file. Any subsequent attempt to modify or overwrite the file will fail, potentially preventing software updates, configuration changes, or other legitimate writes. This can persist until the file descriptor is properly closed with permission restoration, or the system is rebooted.
Mitigation
The fix introduces a call to exe_file_allow_write_access() before filp_close() in the error path, ensuring write permission is restored. The patch has been applied to stable kernel branches. Users should update to the latest patched kernel version to mitigate the issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: not specified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/480ac88431703f2adbb8e6b5bd73c3f3cf9f3d7fnvd
- git.kernel.org/stable/c/6cce7bc7fac8471c832696720d9c8f2a976d9c54nvd
- git.kernel.org/stable/c/90f601b497d76f40fa66795c3ecf625b6aced9fdnvd
- git.kernel.org/stable/c/e785f552ab04dbca01d31f0334f4561240b04459nvd
- git.kernel.org/stable/c/fbab8c08e1a6dbaef81e22d672a7647553101d16nvd
News mentions
0No linked articles in our index yet.