CVE-2025-21846 Overview
CVE-2025-21846 is a Null Pointer Dereference vulnerability in the Linux kernel's process accounting (acct) subsystem. The vulnerability exists in the acct(2) system call, which can be exploited to trigger a NULL pointer dereference when the system call is configured to write to a file that triggers an internal lookup, such as /sys/power/resume.
The flaw occurs because at the point where the write operation happens, the calling task has already exited and called exit_fs(). When a lookup is subsequently triggered, it attempts to access current->fs, which results in a NULL pointer dereference since the filesystem context has already been deallocated.
Critical Impact
Local attackers with low privileges can trigger a kernel panic through NULL pointer dereference, causing system denial of service and potential system instability.
Affected Products
- Linux Kernel versions prior to patched releases
- Linux Kernel 6.14-rc1
- Linux Kernel 6.14-rc2
- Linux Kernel 6.14-rc3
Discovery Timeline
- 2025-03-12 - CVE-2025-21846 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-21846
Vulnerability Analysis
This vulnerability (CWE-476: NULL Pointer Dereference) affects the process accounting mechanism in the Linux kernel. The acct(2) system call enables process accounting by specifying a file where the kernel writes accounting records when processes terminate.
The vulnerability occurs in a race condition scenario where the final accounting write is performed after the process has exited and released its filesystem structure via exit_fs(). When the accounting target is a special file that requires an internal lookup operation (such as sysfs entries like /sys/power/resume), the kernel attempts to access current->fs for path resolution, but this structure has already been freed, resulting in a NULL pointer dereference.
The fix reorganizes the code to ensure that the final accounting write happens from a workqueue while preserving the original caller's credentials. This maintains the existing permission model while preventing the NULL dereference by ensuring proper filesystem context exists during the write operation.
Root Cause
The root cause is improper lifecycle management of the current->fs structure during process termination. The accounting subsystem's final write operation occurs asynchronously, but the original implementation did not account for the scenario where the calling process has already released its filesystem context. When the write target triggers internal lookups (common with pseudo-filesystems like sysfs), the kernel assumes current->fs is valid, leading to the NULL pointer dereference.
Attack Vector
The attack requires local access to the system with low privileges. An attacker can exploit this vulnerability by:
- Configuring process accounting via the acct(2) system call to write to a special file path such as /sys/power/resume
- Terminating the process that initiated the accounting
- The kernel's accounting subsystem attempts a final write after exit_fs() has been called
- The write operation triggers an internal lookup that accesses current->fs, which is now NULL
The exploitation does not require user interaction and can be reliably triggered to cause a kernel panic, resulting in denial of service.
Detection Methods for CVE-2025-21846
Indicators of Compromise
- Kernel panic messages referencing NULL pointer dereference in accounting-related code paths
- System crashes following unusual acct(2) system calls targeting sysfs or similar pseudo-filesystem paths
- Core dumps indicating crashes in kernel filesystem lookup routines triggered from accounting subsystem
Detection Strategies
- Monitor for processes invoking acct(2) system call with unusual file paths, particularly those pointing to /sys/power/resume or other sysfs entries
- Implement auditd rules to track acct(2) system call usage and flag attempts to configure accounting to special filesystem paths
- Deploy kernel live patching detection to identify systems running vulnerable kernel versions
Monitoring Recommendations
- Enable kernel crash dump collection to capture diagnostic information during NULL pointer dereference events
- Configure system monitoring to alert on unexpected kernel panics, particularly those mentioning acct or filesystem lookup functions
- Review system call audit logs for suspicious acct(2) invocations targeting non-standard file paths
How to Mitigate CVE-2025-21846
Immediate Actions Required
- Update to a patched Linux kernel version that includes the workqueue-based fix for the accounting subsystem
- Restrict access to the acct(2) system call using seccomp filters or similar mechanisms where process accounting is not required
- Monitor systems for signs of exploitation attempts while patches are being deployed
Patch Information
The Linux kernel maintainers have released patches that reorganize the accounting code to perform the final write from a workqueue while preserving the caller's credentials. Multiple commit fixes are available:
- Linux Kernel Commit Update
- Linux Kernel Commit Fix
- Linux Kernel Commit Patch
- Linux Kernel Commit Security Update
Distribution-specific patches are also available via Debian LTS Security Announcements.
Workarounds
- If kernel patching is not immediately possible, consider disabling process accounting system-wide using acct(NULL) or preventing the acct(2) system call via seccomp profiles
- Restrict CAP_SYS_PACCT capability to only essential processes and users to limit who can configure process accounting
- Use mandatory access control systems (SELinux, AppArmor) to restrict which files can be targeted by the accounting subsystem
# Disable process accounting system-wide
acct off
# Example seccomp filter to block acct() system call (using systemd)
# Add to service unit file:
# SystemCallFilter=~@privileged
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
