Linux Kernel up to 6.17.10 afs_parse_source privilege escalation

Summaryinfo

A vulnerability was found in Linux Kernel up to 6.17.10. It has been classified as critical. This vulnerability affects the function afs_parse_source. The manipulation leads to an unknown weakness. This vulnerability is referenced as CVE-2025-68299. No exploit is available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.17.10. The impact remains unknown. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: afs: Fix delayed allocation of a cell's anonymous key The allocation of a cell's anonymous key is done in a background thread along with other cell setup such as doing a DNS upcall. In the reported bug, this is triggered by afs_parse_source() parsing the device name given to mount() and calling afs_lookup_cell() with the name of the cell. The normal key lookup then tries to use the key description on the anonymous authentication key as the reference for request_key() - but it may not yet be set and so an oops can happen. This has been made more likely to happen by the fix for dynamic lookup failure. Fix this by firstly allocating a reference name and attaching it to the afs_cell record when the record is created. It can share the memory allocation with the cell name (unfortunately it can't just overlap the cell name by prepending it with "afs@" as the cell name already has a '.' prepended for other purposes). This reference name is then passed to request_key(). Secondly, the anon key is now allocated on demand at the point a key is requested in afs_request_key() if it is not already allocated. A mutex is used to prevent multiple allocation for a cell. Thirdly, make afs_request_key_rcu() return NULL if the anonymous key isn't yet allocated (if we need it) and then the caller can return -ECHILD to drop out of RCU-mode and afs_request_key() can be called. Note that the anonymous key is kind of necessary to make the key lookup cache work as that doesn't currently cache a negative lookup, but it's probably worth some investigation to see if NULL can be used instead.

The advisory is shared at git.kernel.org. The identification of this vulnerability is CVE-2025-68299 since 12/16/2025. The exploitation is known to be easy. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 03/18/2026).

The vulnerability scanner Nessus provides a plugin with the ID 302766 (Ubuntu 24.04 LTS / 25.10 : Linux kernel vulnerabilities (USN-8094-1)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.17.11 eliminates this vulnerability. Applying the patch 5613bde937dfac6725e9c3fc766b9d6b8481e55b/d27c71257825dced46104eefe42e4d9964bd032e is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (302766) and CERT Bund (WID-SEC-2025-2868). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• SUSE openSUSE
• RESF Rocky Linux
• Open Source Linux Kernel

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.17.0
• 6.17.1
• 6.17.2
• 6.17.3
• 6.17.4
• 6.17.5
• 6.17.6
• 6.17.7
• 6.17.8
• 6.17.9
• 6.17.10

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion