CVE-2025-40072 in Linuxinfo

Summary

by MITRE • 10/28/2025

In the Linux kernel, the following vulnerability has been resolved:

fanotify: Validate the return value of mnt_ns_from_dentry() before dereferencing

The function do_fanotify_mark() does not validate if mnt_ns_from_dentry() returns NULL before dereferencing mntns->user_ns. This causes a NULL pointer dereference in do_fanotify_mark() if the path is not a mount namespace object.

Fix this by checking mnt_ns_from_dentry()'s return value before dereferencing it.

Before the patch

$ gcc fanotify_nullptr.c -o fanotify_nullptr $ mkdir A $ ./fanotify_nullptr Fanotify fd: 3 fanotify_mark: Operation not permitted $ unshare -Urm Fanotify fd: 3 Killed

int main(void){
int ffd; ffd = fanotify_init(FAN_CLASS_NOTIF | FAN_REPORT_MNT, 0); if(ffd < 0){
perror("fanotify_init"); exit(EXIT_FAILURE); }

printf("Fanotify fd: %d\n",ffd);

if(fanotify_mark(ffd, FAN_MARK_ADD | FAN_MARK_MNTNS, FAN_MNT_ATTACH, AT_FDCWD, "A") < 0){
perror("fanotify_mark"); exit(EXIT_FAILURE); }

return 0; }

After the patch

$ gcc fanotify_nullptr.c -o fanotify_nullptr $ mkdir A $ ./fanotify_nullptr Fanotify fd: 3 fanotify_mark: Operation not permitted $ unshare -Urm Fanotify fd: 3 fanotify_mark: Invalid argument

[ 25.694973] BUG: kernel NULL pointer dereference, address: 0000000000000038
[ 25.695006] #PF: supervisor read access in kernel mode
[ 25.695012] #PF: error_code(0x0000) - not-present page
[ 25.695017] PGD 109a30067 P4D 109a30067 PUD 142b46067 PMD 0
[ 25.695025] Oops: Oops: 0000 [#1] SMP NOPTI
[ 25.695032] CPU: 4 UID: 1000 PID: 1478 Comm: fanotify_nullpt Not
tainted 6.17.0-rc4 #1 PREEMPT(lazy) [ 25.695040] Hardware name: VMware, Inc. VMware Virtual
Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 25.695049] RIP: 0010:do_fanotify_mark+0x817/0x950
[ 25.695066] Code: 04 00 00 e9 45 fd ff ff 48 8b 7c 24 48 4c 89 54
24 18 4c 89 5c 24 10 4c 89 0c 24 e8 b3 11 fc ff 4c 8b 54 24 18 4c 8b 5c 24 10 <48> 8b 78 38 4c 8b 0c 24 49 89 c4 e9 13 fd ff ff 8b 4c 24 28 85 c9 [ 25.695081] RSP: 0018:ffffd31c469e3c08 EFLAGS: 00010203
[ 25.695104] RAX: 0000000000000000 RBX: 0000000001000000 RCX: ffff8eb48aebd220
[ 25.695110] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8eb4835e8180
[ 25.695115] RBP: 0000000000000111 R08: 0000000000000000 R09: 0000000000000000
[ 25.695142] R10: ffff8eb48a7d56c0 R11: ffff8eb482bede00 R12: 00000000004012a7
[ 25.695148] R13: 0000000000000110 R14: 0000000000000001 R15: ffff8eb48a7d56c0
[ 25.695154] FS: 00007f8733bda740(0000) GS:ffff8eb61ce5f000(0000)
knlGS:0000000000000000 [ 25.695162] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 25.695170] CR2: 0000000000000038 CR3: 0000000136994006 CR4: 00000000003706f0
[ 25.695201] Call Trace:
[ 25.695209] <TASK>
[ 25.695215] __x64_sys_fanotify_mark+0x1f/0x30
[ 25.695222] do_syscall_64+0x82/0x2c0
...

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability described in CVE-2025-40072 resides within the Linux kernel's fanotify subsystem, specifically in the do_fanotify_mark() function. This flaw represents a classic NULL pointer dereference issue that can lead to system instability and potential privilege escalation. The vulnerability manifests when the mnt_ns_from_dentry() function returns NULL, but the calling code does not validate this return value before proceeding to dereference the mntns->user_ns field. This condition occurs when attempting to mark paths that are not mount namespace objects, creating a scenario where kernel memory is accessed through an invalid pointer reference.

The technical root cause of this vulnerability aligns with CWE-476, which identifies NULL pointer dereference as a critical weakness in software design. The fanotify subsystem is designed to monitor file system events and provide notifications to user-space applications, but the improper handling of mount namespace references creates an exploitable condition. When a process attempts to use fanotify_mark() with a path that does not correspond to a valid mount namespace, the kernel fails to validate the return value from mnt_ns_from_dentry() before accessing the user_ns member of the mount namespace structure. This oversight results in a direct memory access violation at address 0x38, which corresponds to the user_ns field within the mount namespace structure.

The operational impact of this vulnerability is severe, as it can cause immediate system crashes through kernel NULL pointer dereferences, leading to denial of service conditions. The exploit scenario described in the vulnerability report demonstrates how a specially crafted program can trigger this condition by using unshare -Urm to create a user namespace and then attempting to mark a directory path with fanotify_mark. The system response shows a kernel panic with a BUG message indicating the NULL pointer dereference, which terminates the process and potentially destabilizes the entire kernel. This vulnerability affects systems running kernel versions where the fix has not yet been applied, particularly those utilizing fanotify functionality for monitoring file system events or implementing security policies.

Mitigation strategies for this vulnerability involve applying the kernel patch that validates the return value of mnt_ns_from_dentry() before dereferencing it. System administrators should prioritize updating their kernel versions to include this fix, which prevents the NULL pointer dereference by checking if the mount namespace reference is valid before accessing its components. The fix implements a simple but critical validation check that ensures mnt_ns_from_dentry() does not return NULL before proceeding with subsequent operations. Additionally, organizations should monitor for any related vulnerabilities in the fanotify subsystem and ensure that all kernel updates are applied promptly. From an ATT&CK perspective, this vulnerability relates to T1068 (Local Privilege Escalation) and T1499 (Endpoint Denial of Service) as it can be leveraged to either crash system processes or potentially escalate privileges through kernel memory corruption. The vulnerability also aligns with T1548.001 (Abuse Elevation Control Mechanism) as it exploits improper validation of system call parameters in kernel space.

Responsible

Linux

Reservation

04/16/2025

Disclosure

10/28/2025

Moderation

accepted

CPE

ready

EPSS

0.00170

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!