CVE-2025-21634 – A race condition vulnerability in the Linux ker... (How to Fix)

📋 TL;DR

A race condition vulnerability in the Linux kernel's cpuset subsystem where concurrent cgroup removal and cpuset.cpus file write operations could trigger a kernel warning. This affects Linux systems using cgroups/cpusets, potentially causing system instability or denial of service.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions between commit 76bb5ab8f6e3 and commit 11cb1d643a74665a4e14749414f48f82cbc15c64

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires cgroups/cpuset subsystem to be in use. Most containerized environments and systems using cgroups for resource management are affected.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic or system crash leading to denial of service and potential data loss.

🟠

Likely Case

Kernel warning messages in logs and potential system instability during concurrent cgroup operations.

🟢

If Mitigated

Minor performance impact during cgroup operations with warning messages in system logs.

🌐 Internet-Facing: LOW - Requires local access to cgroup filesystem operations.

🏢 Internal Only: MEDIUM - Could be triggered by legitimate administrative operations or malicious local users.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM - Requires race condition timing and access to cgroup filesystem operations.

Exploitation requires local access and specific timing conditions between cgroup removal and cpuset.cpus write operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commit 11cb1d643a74665a4e14749414f48f82cbc15c64 or later

Vendor Advisory: https://git.kernel.org/stable/c/11cb1d643a74665a4e14749414f48f82cbc15c64

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing fix commit 11cb1d643a74665a4e14749414f48f82cbc15c64
2. Reboot system to load new kernel
3. Verify kernel version after reboot

🔧 Temporary Workarounds

Avoid concurrent cgroup operations

linux

Prevent simultaneous cgroup removal and cpuset.cpus write operations

Disable cpuset subsystem

linux

Remove cpuset from cgroup controllers if not required

echo "-cpuset" > /sys/fs/cgroup/cgroup.subtree_control

🧯 If You Can't Patch

Implement strict access controls on cgroup filesystem operations
Monitor system logs for kernel warnings related to cpuset operations

🔍 How to Verify

Check if Vulnerable:

Check kernel version and verify if between affected commit range: 'uname -r' and check kernel source for commit 76bb5ab8f6e3 presence

Check Version:

uname -r

Verify Fix Applied:

Verify kernel contains commit 11cb1d643a74665a4e14749414f48f82cbc15c64: 'grep -q 11cb1d643a74665a4e14749414f48f82cbc15c64 /proc/version'

📡 Detection & Monitoring

Log Indicators:

WARNING: CPU: ... at fs/kernfs/file.c:828
kernfs_should_drain_open_files warnings
cgroup/cpuset related kernel warnings

SIEM Query:

source="kernel" AND ("kernfs_should_drain_open_files" OR "cpuset_write_resmask" OR "cgroup_rm_file")

📊 Metadata

CVE ID: CVE-2025-21634

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-667

EPSS Score: 0.04% exploit probability (10.5th percentile)

Published: January 19, 2025

Last Updated: October 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21634, you might also want to check these: