CVE-2025-21672
📋 TL;DR
A race condition vulnerability in the Linux kernel's AFS (Andrew File System) module where improper error handling can cause an inode lock to remain held when returning to userspace. This affects Linux systems using the AFS filesystem module. Attackers with local access could potentially exploit this to cause denial of service or other privilege escalation scenarios.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to full system compromise through kernel memory corruption or denial of service attacks.
Likely Case
Local denial of service through kernel panic or system instability when triggering the race condition.
If Mitigated
Minimal impact if AFS module is not loaded or not in use.
🎯 Exploit Status
Requires local access and specific conditions to trigger the race condition. Found through syzkaller fuzzing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commit 17a4fde81d3a7478d97d15304a6d61094a10c2e3 and 22be1d90a6211c88dd093b25d1f3aa974d0d9f9d
Vendor Advisory: https://git.kernel.org/stable/c/17a4fde81d3a7478d97d15304a6d61094a10c2e3
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check with your distribution for backported patches. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable AFS module
linuxUnload the AFS kernel module if not required
sudo rmmod kafs
echo 'blacklist kafs' | sudo tee /etc/modprobe.d/blacklist-afs.conf
🧯 If You Can't Patch
- Ensure AFS module is not loaded on production systems
- Restrict local user access to systems where AFS is required
🔍 How to Verify
Check if Vulnerable:
Check if AFS module is loaded: lsmod | grep kafs. Check kernel version: uname -r and compare with affected versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and AFS module version. Check kernel logs for lock warnings.📡 Detection & Monitoring
Log Indicators:
- Kernel warnings about locks held when returning to userspace
- System crashes or instability related to AFS operations
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND "lock held when returning to user space" AND "afs"