CVE-2025-68736
Unknown Unknown - Not Provided
Access Control Bypass in Linux Kernel Landlock via Disconnected Directories

Publication date: 2025-12-24

Last updated on: 2026-04-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: landlock: Fix handling of disconnected directories Disconnected files or directories can appear when they are visible and opened from a bind mount, but have been renamed or moved from the source of the bind mount in a way that makes them inaccessible from the mount point (i.e. out of scope). Previously, access rights tied to files or directories opened through a disconnected directory were collected by walking the related hierarchy down to the root of the filesystem, without taking into account the mount point because it couldn't be found. This could lead to inconsistent access results, potential access right widening, and hard-to-debug renames, especially since such paths cannot be printed. For a sandboxed task to create a disconnected directory, it needs to have write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to the underlying source of the bind mount, and read access to the related mount point. Because a sandboxed task cannot acquire more access rights than those defined by its Landlock domain, this could lead to inconsistent access rights due to missing permissions that should be inherited from the mount point hierarchy, while inheriting permissions from the filesystem hierarchy hidden by this mount point instead. Landlock now handles files and directories opened from disconnected directories by taking into account the filesystem hierarchy when the mount point is not found in the hierarchy walk, and also always taking into account the mount point from which these disconnected directories were opened. This ensures that a rename is not allowed if it would widen access rights [1]. The rationale is that, even if disconnected hierarchies might not be visible or accessible to a sandboxed task, relying on the collected access rights from them improves the guarantee that access rights will not be widened during a rename because of the access right comparison between the source and the destination (see LANDLOCK_ACCESS_FS_REFER). It may look like this would grant more access on disconnected files and directories, but the security policies are always enforced for all the evaluated hierarchies. This new behavior should be less surprising to users and safer from an access control perspective. Remove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and fix the related comment. Because opened files have their access rights stored in the related file security properties, there is no impact for disconnected or unlinked files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2026-04-02
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68736
EUVD
EUVD-2025-205226
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the Linux kernel's Landlock security module mishandling 'disconnected directories'β€”directories that have been moved or renamed out of the scope of a bind mount but are still accessible through it. Previously, access rights for files opened through such disconnected directories were incorrectly calculated by walking the filesystem hierarchy without considering the mount point, leading to inconsistent access results and potential widening of access rights. This could cause security issues and make debugging difficult. The fix ensures that Landlock correctly accounts for the mount point and filesystem hierarchy when evaluating access rights, preventing unauthorized access widening during renames.


How can this vulnerability impact me? :

This vulnerability can lead to inconsistent and potentially widened access rights for sandboxed tasks using Landlock, meaning that a process might gain more permissions than intended when accessing files or directories through disconnected directories. This could result in unauthorized access to files or directories, undermining the security guarantees of the sandbox and potentially exposing sensitive data or allowing unauthorized operations.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for handling disconnected directories in Landlock. This fix ensures that access rights are correctly enforced and prevents access right widening during renames involving disconnected directories.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart