ghsa-3cmq-72j9-674j
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
seccomp: passthrough uretprobe systemcall without filtering
When attaching uretprobes to processes running inside docker, the attached process is segfaulted when encountering the retprobe.
The reason is that now that uretprobe is a system call the default seccomp filters in docker block it as they only allow a specific set of known syscalls. This is true for other userspace applications which use seccomp to control their syscall surface.
Since uretprobe is a "kernel implementation detail" system call which is not used by userspace application code directly, it is impractical and there's very little point in forcing all userspace applications to explicitly allow it in order to avoid crashing tracked processes.
Pass this systemcall through seccomp without depending on configuration.
Note: uretprobe is currently only x86_64 and isn't expected to ever be supported in i386.
[kees: minimized changes for easier backporting, tweaked commit log]
{
"affected": [],
"aliases": [
"CVE-2025-21834"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-06T17:15:23Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nseccomp: passthrough uretprobe systemcall without filtering\n\nWhen attaching uretprobes to processes running inside docker, the attached\nprocess is segfaulted when encountering the retprobe.\n\nThe reason is that now that uretprobe is a system call the default seccomp\nfilters in docker block it as they only allow a specific set of known\nsyscalls. This is true for other userspace applications which use seccomp\nto control their syscall surface.\n\nSince uretprobe is a \"kernel implementation detail\" system call which is\nnot used by userspace application code directly, it is impractical and\nthere\u0027s very little point in forcing all userspace applications to\nexplicitly allow it in order to avoid crashing tracked processes.\n\nPass this systemcall through seccomp without depending on configuration.\n\nNote: uretprobe is currently only x86_64 and isn\u0027t expected to ever be\nsupported in i386.\n\n[kees: minimized changes for easier backporting, tweaked commit log]",
"id": "GHSA-3cmq-72j9-674j",
"modified": "2025-03-06T18:31:11Z",
"published": "2025-03-06T18:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21834"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a262628f4cf2437d863fe41f9d427177b87664c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf6cb56ef24410fb5308f9655087f1eddf4452e6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fa80018aa5be10c35e9fa896b7b4061a8dce3eed"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.