CVE-2025-21887

CVE-2025-21887 is a use-after-free (UAF) vulnerability in the Linux kernel's overlayfs (ovl) filesystem implementation. The issue occurs in the ovl_dentry_update_reval() function, where dput(upper) is called prematurely before the upper dentry's d_flags are accessed in ovl_dentry_remote(), leading to a slab-use-after-free as detected by KASAN. This affects the ovl_link_up() path during copy-up operations, such as in ovl_copy_up_one(), ovl_copy_up_flags(), and ovl_rename(). The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Exploitation involves triggering overlayfs operations like rename or link-up that invoke the affected code paths, potentially leading to arbitrary code execution, data corruption, or kernel crashes due to the high impacts on confidentiality, integrity, and availability.

Mitigation requires updating to patched Linux kernel versions, as detailed in the upstream stable commit references. Key fixes include commits such as 3594aad97e7b (general ovl fix), 4b49d939b5a7 (ovl_dentry_update_reval adjustment), 60b4b5c1277f, 64455c8051c3, and a7c41830ffcd, which move dput(upper) after its final use in ovl_link_up to prevent the UAF. Security practitioners should apply these stable backports to affected kernel releases promptly.