CVE-2025-68183
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-16

Last updated on: 2025-12-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with "ima_appraise=fix evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include <stdio.h> #include <sys/xattr.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <stdlib.h> int main() { const char* file_path = "/usr/sbin/test_binary"; const char* hex_string = "030204d33204490066306402304"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror("Error opening file"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]); } if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } const char* selinux_value= "system_u:object_r:bin_t:s0"; if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } close(fd); return 0; }
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-18
Generated
2026-05-07
AI Q&A
2025-12-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68183
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's Integrity Measurement Architecture (IMA) when both IMA and Extended Verification Module (EVM) are in fix mode. If a program first stores an IMA signature in the security.ima extended attribute and then writes or removes another security extended attribute (like security.selinux or security.evm), the IMA_DIGSIG flag is incorrectly cleared. This causes the IMA signature to be replaced by an IMA hash when the file is closed, which means the original IMA signature is lost or reset improperly. The vulnerability allows the IMA file signature to be replaced with a less secure hash due to the flag being reset during certain xattr operations.


How can this vulnerability impact me? :

This vulnerability can impact you by causing the loss or replacement of the original IMA file signature with a weaker IMA hash when modifying certain security extended attributes on files. This undermines the integrity verification of files, potentially allowing unauthorized or unverified changes to go undetected, which could weaken system security and trust in file integrity measurements.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking if the IMA signature is being reset to an IMA hash when setting or removing non-IMA extended attributes (xattr) such as security.selinux, security.evm, or ACLs on files. One way to observe this is by using the command: # getfattr -m - -d -e hex /usr/bin/bash to inspect the security.ima attribute. If the IMA_DIGSIG flag is cleared improperly, the IMA signature will be replaced by a hash upon file close. Additionally, reproducing the issue can be done by setting security.ima and then setting or removing other security xattrs as shown in the provided minimal C code example.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that your Linux kernel is updated to a version where the issue is resolved, which prevents the IMA_DIGSIG flag from being cleared when setting or removing non-IMA extended attributes. In the meantime, avoid operations that set or remove non-IMA xattrs like security.selinux, security.evm, or ACLs on files that have IMA signatures until the kernel is patched. Also, boot the kernel with appropriate parameters such as "ima_appraise=fix evm=fix ima_policy=appraise_tcb" and use tools like rpm-plugin-ima carefully to avoid triggering the issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart