Linux Kernel up to 6.12.13/6.13.2/6.14-rc1 seccomp denial of service

Summaryinfo

A vulnerability was found in Linux Kernel up to 6.12.13/6.13.2/6.14-rc1. It has been classified as critical. This issue affects some unknown processing of the component seccomp. Performing a manipulation results in denial of service. This vulnerability was named CVE-2025-21834. There is no available exploit. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability classified as critical has been found in Linux Kernel up to 6.12.13/6.13.2/6.14-rc1. This affects an unknown code block of the component seccomp. The manipulation with an unknown input leads to a denial of service vulnerability. CWE is classifying the issue as CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. This is going to have an impact on availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: seccomp: passthrough uretprobe systemcall without filtering When attaching uretprobes to processes running inside docker, the attached process is segfaulted when encountering the retprobe. The reason is that now that uretprobe is a system call the default seccomp filters in docker block it as they only allow a specific set of known syscalls. This is true for other userspace applications which use seccomp to control their syscall surface. Since uretprobe is a "kernel implementation detail" system call which is not used by userspace application code directly, it is impractical and there's very little point in forcing all userspace applications to explicitly allow it in order to avoid crashing tracked processes. Pass this systemcall through seccomp without depending on configuration. Note: uretprobe is currently only x86_64 and isn't expected to ever be supported in i386. [kees: minimized changes for easier backporting, tweaked commit log]

It is possible to read the advisory at git.kernel.org. This vulnerability is uniquely identified as CVE-2025-21834 since 12/29/2024. The technical details are unknown and an exploit is not publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 232232 (Linux Distros Unpatched Vulnerability : CVE-2025-21834), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.12.14, 6.13.3 or 6.14-rc2 eliminates this vulnerability. Applying the patch 5a262628f4cf2437d863fe41f9d427177b87664c/fa80018aa5be10c35e9fa896b7b4061a8dce3eed/cf6cb56ef24410fb5308f9655087f1eddf4452e6 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (232232) and CERT Bund (WID-SEC-2025-0499). Be aware that VulDB is the high quality source for vulnerability data.

Affected

• Google Container-Optimized OS
• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• RESF Rocky Linux
• SolarWinds Security Event Manager
• Open Source Linux Kernel
• Dell Secure Connect Gateway

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.12.0
• 6.12.1
• 6.12.2
• 6.12.3
• 6.12.4
• 6.12.5
• 6.12.6
• 6.12.7
• 6.12.8
• 6.12.9
• 6.12.10
• 6.12.11
• 6.12.12
• 6.12.13
• 6.13.0
• 6.13.1
• 6.13.2
• 6.14-rc1

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion