CVE-2025-68814 Overview
A memory leak vulnerability has been identified in the Linux kernel's io_uring subsystem, specifically within the __io_openat_prep() function. The vulnerability occurs when a struct filename is allocated via getname() but is not properly cleaned up under certain conditions, leading to memory leakage over time.
Critical Impact
This memory leak vulnerability can lead to system resource exhaustion through repeated exploitation, potentially causing denial of service conditions on affected Linux systems.
Affected Products
- Linux kernel versions with io_uring support containing the vulnerable __io_openat_prep() function
- Systems utilizing io_uring for asynchronous I/O operations with fixed file tables
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-68814 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68814
Vulnerability Analysis
The vulnerability resides in the __io_openat_prep() function within the Linux kernel's io_uring implementation. When preparing an openat operation, the function allocates memory for a struct filename using the getname() kernel function. Under normal operation, this allocated memory should be tracked for cleanup when the io_uring request is torn down.
However, a specific code path exists where the function returns early without proper cleanup preparation. When a file is being installed in the fixed file table AND has the O_CLOEXEC flag set, the function exits before the REQ_F_NEED_CLEANUP flag is set on the request. This flag is essential for signaling to the io_uring cleanup routines that the request contains resources requiring deallocation.
Without this flag, the kernel's request teardown logic does not free the struct filename memory, resulting in a memory leak. Repeated triggering of this condition can cause progressive memory exhaustion on the affected system.
Root Cause
The root cause is a missing flag assignment in the early return path of __io_openat_prep(). The REQ_F_NEED_CLEANUP flag must be set immediately after a successful getname() call to ensure the allocated struct filename is properly tracked for cleanup. The fix repositions this flag assignment to occur right after the getname() allocation succeeds, guaranteeing that all code paths properly mark the request for resource cleanup.
Attack Vector
The attack vector requires local access to the system with the ability to submit io_uring requests. An attacker could exploit this vulnerability by:
- Opening a file descriptor using io_uring with the fixed file table installation option
- Specifying the O_CLOEXEC flag on the open operation
- Repeating this operation to continuously leak memory
Over time, this could exhaust available kernel memory, leading to system instability or denial of service. While this is primarily a local attack vector, any service or application using io_uring with these specific parameters could be abused.
Detection Methods for CVE-2025-68814
Indicators of Compromise
- Steadily increasing kernel memory consumption without corresponding process memory growth
- System logs indicating memory pressure or OOM (Out of Memory) killer activity
- Unusual io_uring activity patterns in process monitoring or system call tracing
- Slab allocator statistics showing growth in filename-related caches
Detection Strategies
- Monitor /proc/slabinfo for abnormal growth in filp or names_cache allocations
- Implement kernel memory usage alerting with thresholds for unexpected consumption patterns
- Use eBPF or ftrace to trace __io_openat_prep() calls and correlate with memory allocation metrics
- Deploy auditd rules to track io_uring syscalls with specific flag combinations
Monitoring Recommendations
- Configure memory monitoring alerts for kernel slab cache growth patterns
- Implement periodic review of /proc/meminfo MemFree and Slab values
- Monitor for repeated io_uring openat operations from untrusted processes
- Enable kernel memory debugging options in non-production environments to detect leaks
How to Mitigate CVE-2025-68814
Immediate Actions Required
- Update to a patched Linux kernel version that includes the REQ_F_NEED_CLEANUP fix
- If immediate patching is not possible, consider restricting io_uring access through seccomp policies
- Monitor system memory usage closely on affected systems pending remediation
- Evaluate and limit untrusted code's ability to use io_uring operations
Patch Information
The Linux kernel development team has released patches that fix this memory leak vulnerability. The fix ensures the REQ_F_NEED_CLEANUP flag is set immediately after a successful getname() call in __io_openat_prep(), guaranteeing proper cleanup regardless of the code path taken.
Multiple stable kernel commits address this vulnerability:
- Kernel Commit 18b99fa6
- Kernel Commit 7fbfb85b
- Kernel Commit 8f44c4a5
- Kernel Commit b14fad55
- Kernel Commit e232269d
Workarounds
- Disable io_uring system-wide using kernel boot parameter io_uring.disabled=1 if not required
- Apply seccomp filters to restrict io_uring access for untrusted applications
- Implement cgroup memory limits to contain the impact of potential memory leaks
- Use process isolation to limit which processes can perform io_uring operations
# Disable io_uring system-wide (add to kernel boot parameters)
io_uring.disabled=1
# Or restrict via sysctl (kernel version dependent)
sysctl -w kernel.io_uring_disabled=2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
