Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68805

CVE-2025-68805: Linux Kernel Use-After-Free Vulnerability

CVE-2025-68805 is a use-after-free flaw in the Linux kernel fuse subsystem that causes list corruption when requests are terminated. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2025-68805 Overview

CVE-2025-68805 is a Linux kernel vulnerability in the Filesystem in Userspace (FUSE) io-uring implementation. When a request terminates before it has been committed, the kernel fails to remove the request from the queue's list. The dangling list entry leads to list corruption and a use-after-free condition in kernel memory.

The issue affects the FUSE subsystem when accessed through the io-uring interface, a high-performance asynchronous I/O mechanism. Successful exploitation could allow a local attacker to corrupt kernel data structures, potentially escalating privileges or destabilizing the system.

Critical Impact

List corruption and use-after-free in the Linux kernel FUSE io-uring path can lead to local privilege escalation or kernel panic.

Affected Products

  • Linux kernel versions implementing FUSE io-uring support
  • Distributions shipping unpatched upstream kernel builds
  • Systems exposing FUSE filesystems to unprivileged users

Discovery Timeline

  • 2026-01-13 - CVE-2025-68805 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-68805

Vulnerability Analysis

The vulnerability resides in the FUSE io-uring request lifecycle management. FUSE uses queues to track outstanding requests between the kernel and userspace filesystem daemons. When an io-uring request is submitted, it is added to a per-queue list pending commit by the userspace handler.

If the request is terminated before the commit step completes, the cleanup path does not unlink the request from the queue's list. The list now references a freed or soon-to-be-freed request structure. Subsequent list traversal operations dereference the stale pointer, triggering list corruption and a use-after-free [CWE-416].

The upstream fix removes the terminated non-committed request from the queue's list during teardown. Reference patches are available at the first kernel commit and the second kernel commit.

Root Cause

The root cause is missing list removal logic in the FUSE io-uring termination path. The code assumed termination occurred after commit, where list cleanup already happens. Requests terminated before commit bypass this cleanup and leave dangling list_head entries pointing to freed memory.

Attack Vector

A local attacker with the ability to mount or interact with a FUSE filesystem can trigger the condition. The attacker submits io-uring FUSE requests and forces early termination before the userspace daemon commits them. Repeated triggering corrupts kernel list structures and creates exploitable use-after-free windows.

No verified public exploit is available. See the upstream commits for the technical fix details.

Detection Methods for CVE-2025-68805

Indicators of Compromise

  • Kernel oops or panic messages referencing fuse_uring, list_del, or list_add corruption
  • Unexpected KASAN: use-after-free warnings in kernel logs tied to FUSE structures
  • Process crashes or hangs in userspace FUSE daemons during request teardown

Detection Strategies

  • Monitor dmesg and journalctl -k output for list debugging warnings such as list_del corruption referencing FUSE symbols
  • Enable CONFIG_DEBUG_LIST and KASAN on test kernels to surface corruption earlier
  • Audit running kernel versions against patched stable releases referenced in the upstream commits

Monitoring Recommendations

  • Track kernel version inventory across Linux endpoints and servers to identify unpatched hosts
  • Alert on unprivileged user-space mounts of FUSE filesystems on production systems
  • Forward kernel ring buffer logs to a centralized logging platform for correlation of crash signatures

How to Mitigate CVE-2025-68805

Immediate Actions Required

  • Apply the stable kernel updates that include commits 95c39eef7c2b and a6d1f1ace16d
  • Restrict FUSE mount capabilities to trusted users where possible by limiting user_allow_other and fusermount permissions
  • Reboot systems after kernel updates to load the patched code paths

Patch Information

The fix is merged upstream in the Linux kernel stable tree. Distribution vendors backport the change to their supported kernel branches. Refer to the first kernel commit and the second kernel commit for source-level changes.

Workarounds

  • Disable io-uring support for FUSE workloads where the feature is not required
  • Prevent unprivileged users from mounting FUSE filesystems by tightening /etc/fuse.conf and removing the suid bit from fusermount on multi-tenant hosts
  • Use kernel lockdown or seccomp policies to restrict access to io-uring syscalls from untrusted processes
bash
# Verify running kernel version and confirm patch presence
uname -r

# Restrict fusermount to trusted group only
sudo chgrp fuse /usr/bin/fusermount3
sudo chmod 4750 /usr/bin/fusermount3

# Disable io_uring system-wide if not required
sysctl -w kernel.io_uring_disabled=2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.