CVE-2025-68247

Vulnerability

Overview

In the Linux kernel, a memory leak vulnerability exists in the do_timer_create() function within the posix-timers. When a process requests the creation of a POSIX timer with a specific timer ID (via timer_create() with TIMER_ABSTIME or similar), the kernel allocates a struct k_itimer before attempting to copy the user-space value. If the copy_from_user() operation faults (e.g., due to an invalid user-space pointer or other memory access error), the function returns an error without freeing the previously allocated timer structure. This results in a memory leak of the k_itimer object [1].

ExploitationThe vulnerability can be triggered by any local user with the ability to create POSIX timers (typically unprivileged). The attacker must provide a valid timer ID and a user-space pointer that will cause a fault during the copy operation. This can be achieved by passing an unmapped or otherwise invalid address for the old_value or new_value parameter in the timer_create() syscall. No special privileges are required beyond the ability to create timers, which is generally available to all users [1].

ImpactAn attacker can repeatedly triggering this vulnerability allows an unprivileged local attacker to exhaust kernel memory, leading to a denial-of-service (DoS) condition. Each failed timer creation leaks a small amount of memory (the size of struct k_itimer), which can accumulate over time. The vulnerability does not provide any privilege escalation or information disclosure; the impact is limited to memory exhaustion [1].

MitigationThe fix, introduced in Linux kernel commit e0fd4d42e27f761e9cc82801b3f183e658dc749d, moves the allocation of the timer structure after the user-space access. This ensures that if the copy fails, no memory has been allocated, preventing the leak. The patch has been applied to the stable kernel tree and is included in subsequent releases. Users should update to a kernel version containing this commit or apply the patch manually [1].