CVE-2025-68740
Description
In the Linux kernel, the following vulnerability has been resolved:
ima: Handle error code returned by ima_filter_rule_match()
In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to the rule being NULL, the function incorrectly skips the 'if (!rc)' check and sets 'result = true'. The LSM rule is considered a match, causing extra files to be measured by IMA.
This issue can be reproduced in the following scenario: After unloading the SELinux policy module via 'semodule -d', if an IMA measurement is triggered before ima_lsm_rules is updated, in ima_match_rules(), the first call to ima_filter_rule_match() returns -ESTALE. This causes the code to enter the 'if (rc == -ESTALE && !rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In ima_lsm_copy_rule(), since the SELinux module has been removed, the rule becomes NULL, and the second call to ima_filter_rule_match() returns -ENOENT. This bypasses the 'if (!rc)' check and results in a false match.
Call trace: selinux_audit_rule_match+0x310/0x3b8 security_audit_rule_match+0x60/0xa0 ima_match_rules+0x2e4/0x4a0 ima_match_policy+0x9c/0x1e8 ima_get_action+0x48/0x60 process_measurement+0xf8/0xa98 ima_bprm_check+0x98/0xd8 security_bprm_check+0x5c/0x78 search_binary_handler+0x6c/0x318 exec_binprm+0x58/0x1b8 bprm_execve+0xb8/0x130 do_execveat_common.isra.0+0x1a8/0x258 __arm64_sys_execve+0x48/0x68 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x44/0x200 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x3c8/0x3d0
Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error codes like -ENOENT do not bypass the check and accidentally result in a successful match.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer comparison flaw in ima_match_rules() causes false-positive LSM rule matches, leading to extra file measurements when SELinux module is unloaded.
Root
Cause
In the Linux kernel's Integrity Measurement Architecture (IMA), the function ima_match_rules() uses if (!rc) to check the return value of ima_filter_rule_match(). When ima_filter_rule_match() returns a negative error code such as -ENOENT (indicating the rule is NULL), the check !rc evaluates to false, causing the code to incorrectly treat this as a rule match. This occurs because -ENOENT is a negative integer, which is truthy in C, so the !rc condition is not met, and the function proceeds to set result = true inadvertently [1].
Exploitation
Scenario
An attacker or administrator can trigger the bug by unloading the SELinux policy module using semodule -d. After this action, if an IMA measurement is triggered before ima_lsm_rules is updated, the first call to ima_filter_rule_match() returns -ESTALE. The code enters a retry path via ima_lsm_copy_rule(), but because the SELinux module has been removed, the copied rule becomes NULL. The subsequent call then returns -ENOENT, which the existing if (!rc) check fails to handle, resulting in a false match [1]. The call trace shows the vulnerability propagates from ima_match_rules() through the IMA policy matching chain to process_measurement() [1].
Impact
When the false match occurs, IMA incorrectly considers the LSM rule as applicable, causing extra files to be measured by IMA. This can lead to unintended measurements of files that should not have been measured, potentially violating security policies and increasing audit log volume. The issue affects the integrity of IMA's measurement decisions, as it may include or exclude files inappropriately [1].
Mitigation
The fix requires changing if (!rc) to if (rc <= 0) in ima_match_rules(), ensuring that error codes like -ENOENT do not bypass the check. This correction has been applied to the Linux kernel stable branches via commit c2238d487a64 [2] and related commits [1][3]. Users should apply the latest kernel updates to resolve the vulnerability. No workaround is available beyond updating the kernel.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/32952c4f4d1b2deb30dce72ba109da808a9018e1nvd
- git.kernel.org/stable/c/738c9738e690f5cea24a3ad6fd2d9a323cf614f6nvd
- git.kernel.org/stable/c/88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749nvd
- git.kernel.org/stable/c/c2238d487a640ae3511e1b6f4640ab27ce10d7f6nvd
- git.kernel.org/stable/c/cca3e7df3c0f99542033657ba850b9a6d27f8784nvd
- git.kernel.org/stable/c/d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51nvd
- git.kernel.org/stable/c/de4431faf308d0c533cb386f5fa9af009bc86158nvd
- git.kernel.org/stable/c/f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85nvd
News mentions
0No linked articles in our index yet.