GHSA-3CMQ-72J9-674J
Vulnerability from github – Published: 2025-03-06 18:31 – Updated: 2025-10-29 21:30In the Linux kernel, the following vulnerability has been resolved:
seccomp: passthrough uretprobe systemcall without filtering
When attaching uretprobes to processes running inside docker, the attached process is segfaulted when encountering the retprobe.
The reason is that now that uretprobe is a system call the default seccomp filters in docker block it as they only allow a specific set of known syscalls. This is true for other userspace applications which use seccomp to control their syscall surface.
Since uretprobe is a "kernel implementation detail" system call which is not used by userspace application code directly, it is impractical and there's very little point in forcing all userspace applications to explicitly allow it in order to avoid crashing tracked processes.
Pass this systemcall through seccomp without depending on configuration.
Note: uretprobe is currently only x86_64 and isn't expected to ever be supported in i386.
[kees: minimized changes for easier backporting, tweaked commit log]
{
"affected": [],
"aliases": [
"CVE-2025-21834"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-06T17:15:23Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nseccomp: passthrough uretprobe systemcall without filtering\n\nWhen attaching uretprobes to processes running inside docker, the attached\nprocess is segfaulted when encountering the retprobe.\n\nThe reason is that now that uretprobe is a system call the default seccomp\nfilters in docker block it as they only allow a specific set of known\nsyscalls. This is true for other userspace applications which use seccomp\nto control their syscall surface.\n\nSince uretprobe is a \"kernel implementation detail\" system call which is\nnot used by userspace application code directly, it is impractical and\nthere\u0027s very little point in forcing all userspace applications to\nexplicitly allow it in order to avoid crashing tracked processes.\n\nPass this systemcall through seccomp without depending on configuration.\n\nNote: uretprobe is currently only x86_64 and isn\u0027t expected to ever be\nsupported in i386.\n\n[kees: minimized changes for easier backporting, tweaked commit log]",
"id": "GHSA-3cmq-72j9-674j",
"modified": "2025-10-29T21:30:32Z",
"published": "2025-03-06T18:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21834"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a262628f4cf2437d863fe41f9d427177b87664c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf6cb56ef24410fb5308f9655087f1eddf4452e6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fa80018aa5be10c35e9fa896b7b4061a8dce3eed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.