CVE-2025-68733
Description
In the Linux kernel, the following vulnerability has been resolved:
smack: fix bug: unprivileged task can create labels
If an unprivileged task is allowed to relabel itself (/smack/relabel-self is not empty), it can freely create new labels by writing their names into own /proc/PID/attr/smack/current
This occurs because do_setattr() imports the provided label in advance, before checking "relabel-self" list.
This change ensures that the "relabel-self" list is checked before importing the label.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's Smack LSM, an unprivileged task can create arbitrary labels by writing to /proc/PID/attr/smack/smack/current due to a missing permission check before label import.
Vulnerability
In the Linux kernel's Smack security module, a bug in the do_setattr() function allows an unprivileged task to create new Smack labels if it is permitted to relabel itself (i.e., /smack/relabel-self is not empty). The flaw occurs because the function imports the provided label into the kernel's label database *before* checking whether the task is allowed to use that label via the relabel-self list [1].
Exploitation
An attacker who can write to their own /proc/PID/attr/smack/current file (which is possible when the relabel-self mechanism is enabled) can supply an arbitrary label name. The kernel will create that label in the Smack label database without verifying that the task is authorized to introduce new labels. No additional privileges are required beyond the ability to write to the procfs attribute file [1].
Impact
By creating arbitrary labels, an unprivileged attacker can bypass Smack's mandatory access control policies. This could allow the attacker to assign themselves or other objects labels that grant unintended access to resources, potentially leading to privilege escalation or privilege escalation [1].
Mitigation
The fix, already applied in the Linux kernel stable tree, moves the relabel-self permission check to occur *before* the label is imported. Users should update to a kernel version containing the commit 4a7a7621619a or later [1]. No workaround is available other than disabling the relabel-self feature if it is not needed.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/4a7a7621619a366712fb9cefcb6e69f956c247cenvd
- git.kernel.org/stable/c/60e8d49989410a7ade60f5dadfcd979c117d05c0nvd
- git.kernel.org/stable/c/64aa81250171b6bb6803e97ea7a5d73bfa061f6envd
- git.kernel.org/stable/c/6b1e45e13546c9ea0b1d99097993ac0aafae90b1nvd
- git.kernel.org/stable/c/ac9fce2efabad37c338aac86fbe100f77a080e59nvd
- git.kernel.org/stable/c/c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3nvd
- git.kernel.org/stable/c/c80173233014a360c13fa5cc79d36bfe6e53a8ednvd
- git.kernel.org/stable/c/f8fd5491100f920847a3338d5fba22db19c72773nvd
News mentions
0No linked articles in our index yet.