CVE-2025-21846 in Linux
Summary
by MITRE • 03/12/2025
In the Linux kernel, the following vulnerability has been resolved:
acct: perform last write from workqueue
In [1] it was reported that the acct(2) system call can be used to
trigger NULL deref in cases where it is set to write to a file that triggers an internal lookup. This can e.g., happen when pointing acc(2) to /sys/power/resume. At the point the where the write to this file happens the calling task has already exited and called exit_fs(). A lookup will thus trigger a NULL-deref when accessing current->fs.
Reorganize the code so that the the final write happens from the workqueue but with the caller's credentials. This preserves the (strange) permission model and has almost no regression risk.
This api should stop to exist though.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/14/2025
The vulnerability CVE-2025-21846 addresses a critical NULL dereference issue within the Linux kernel's accounting subsystem, specifically affecting the acct(2) system call implementation. This flaw resides in the kernel's handling of process accounting operations where the system call attempts to write accounting data to specific files. The vulnerability manifests when the acct(2) system call is directed to write to files within the sysfs filesystem, particularly targeting paths such as /sys/power/resume. The underlying issue occurs due to improper synchronization between the accounting write operation and the task lifecycle management within the kernel's filesystem subsystem.
The technical root cause stems from a race condition involving the file system lookup mechanism and task exit processing. When the acct(2) system call attempts to write to a file that requires internal filesystem lookup, the calling task has already invoked exit_fs() to clean up its filesystem context. This cleanup process leaves the current->fs pointer in a NULL state, which becomes problematic when the subsequent filesystem lookup operation attempts to access this freed or null reference. The kernel's accounting subsystem fails to properly handle this scenario, leading to a NULL pointer dereference that can result in system crashes or potential privilege escalation opportunities. This vulnerability directly maps to CWE-476 which describes NULL pointer dereference conditions in software systems.
The operational impact of this vulnerability extends beyond simple system instability, potentially enabling malicious actors to exploit the NULL dereference for privilege escalation or denial of service attacks. Attackers could leverage this weakness to cause system crashes or, in more sophisticated scenarios, potentially manipulate the kernel's accounting subsystem to gain elevated privileges. The vulnerability affects systems running Linux kernels where the acct(2) system call is enabled and accessible to unprivileged users, making it particularly concerning for server environments where process accounting is actively used. The risk is compounded by the fact that the vulnerability occurs during normal system operation when legitimate accounting processes attempt to write to specific filesystem locations.
The kernel developers have implemented a targeted fix that reorganizes the code to perform the final write operation from a workqueue context while preserving the original caller's credentials. This approach ensures that the write operation occurs in a context where the filesystem state is properly maintained, eliminating the NULL dereference condition. The solution maintains backward compatibility with the existing permission model while significantly reducing the risk of system instability. The fix operates under the principle of least privilege and maintains the existing security boundaries of the accounting subsystem. This mitigation strategy aligns with ATT&CK technique T1068 which covers local privilege escalation through kernel vulnerabilities, and T1490 which involves denial of service attacks. The workqueue-based approach ensures that filesystem operations occur in appropriate contexts while preserving the original functional behavior of the accounting system. The solution represents a minimal-risk patch that addresses the core synchronization issue without disrupting existing system functionality. The fix demonstrates proper kernel development practices by maintaining the existing API behavior while eliminating the dangerous race condition through proper context management.