CVE-2025-68239 in Linux
Summary
by MITRE • 12/16/2025
In the Linux kernel, the following vulnerability has been resolved:
binfmt_misc: restore write access before closing files opened by open_exec()
bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed.
However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail.
Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/21/2026
The vulnerability described in CVE-2025-68239 resides within the Linux kernel's binary format miscellaneous (binfmt_misc) subsystem, which serves as a mechanism for registering and managing executable file formats. This subsystem operates as a critical component in the kernel's execution framework, handling various executable formats including those that require special processing before execution. The flaw manifests specifically during the registration process of binary formats when write access permissions are not properly restored after file operations, creating a potential denial of service condition that could impact system stability and security.
The technical root cause of this vulnerability stems from improper handling of file access permissions within the bm_register_write() function. When this function processes executable files, it utilizes open_exec() to open files, which internally invokes do_open_execat() and deliberately restricts write access to prevent modifications during execution. This permission restriction is a security measure designed to maintain the integrity of executing binaries. However, the function fails to properly restore write permissions when errors occur during file processing, as it directly calls filp_close() without invoking the necessary cleanup function exe_file_allow_write_access(). This oversight creates a state where files remain in a restricted write state even after the execution context has ended, leading to potential permission conflicts and operational failures.
The operational impact of this vulnerability extends beyond simple permission errors, as it creates a pathway for potential denial of service conditions that could affect system availability and stability. When the file system attempts to perform write operations on files that still maintain restricted permissions, these operations will fail with permission denied errors, potentially causing applications and system processes to crash or behave unpredictably. The vulnerability specifically affects systems utilizing the binfmt_misc subsystem for executable format registration, which is common in environments where multiple executable formats need to be supported or where custom execution handlers are required. This could impact servers, desktop systems, and embedded devices that rely on proper file access control mechanisms.
Security implications of CVE-2025-68239 align with CWE-284 (Improper Access Control) and represent a direct violation of the principle of least privilege. The flaw creates a condition where file access permissions are not properly managed, potentially allowing attackers to exploit the restricted state for privilege escalation or denial of service attacks. From an ATT&CK framework perspective, this vulnerability could be leveraged in techniques involving privilege escalation through file system manipulation or service disruption through permission-based denial of service. The fix implemented addresses this by ensuring proper permission restoration through the explicit call to exe_file_allow_write_access() before file closure, which restores the appropriate write permissions and maintains the integrity of the file system access control model.
The mitigation strategy for this vulnerability involves applying the kernel patch that implements the proper permission restoration mechanism. System administrators should prioritize updating their Linux kernel installations to versions containing the fix, as this vulnerability affects the core kernel functionality that underpins system security and stability. The fix specifically addresses the issue by ensuring that write permissions are properly restored when files are closed, maintaining consistency with the kernel's file access control mechanisms and preventing the propagation of restricted file states. Organizations should also monitor their systems for any unusual file access errors or permission-related failures that might indicate the presence of this vulnerability before patching, as the effects could manifest as intermittent system failures or application errors related to file operations.