What is CVE-2025-21672?

A medium-severity vulnerability in the Linux kernel could allow local attackers to cause a denial of service. Organizations should prioritize patching to mitigate risks associated with this vulnerability.

What is the severity of CVE-2025-21672?

CVE-2025-21672 has a severity rating of MEDIUM with a CVSS base score of 5.5.

CVE-2025-21672 | Medium Vulnerability in Linux Kernel

In the Linux kernel, a medium-severity vulnerability has been identified, which involves a failure in the merge preference rule of the AFS (Andrew File System). The CVSS score for this vulnerability is 5.5. This vulnerability allows local attackers to potentially hold locks when returning to user space, leading to denial of service.

The issue arises when the function does not properly release a held inode lock if the argument count (argc) is less than zero and the function returns directly. This results in a lock being retained, which can cause system instability.

Organizations should prioritize patching immediately to mitigate the risks associated with this vulnerability, particularly in environments where the Linux kernel is deployed.

As of now, there is no public exploit confirmed for this vulnerability, and it has not been included in the Known Exploited Vulnerabilities (KEV) database.

The urgency for defenders is high, as this vulnerability could be leveraged by attackers to disrupt services.

Vulnerability Details

The official description of the vulnerability states that it involves a fix for a merge preference rule failure condition in the Linux kernel. Specifically, syzbot reported that a lock is held when returning to user space due to improper error handling.

The CVSS 3.1 vector string for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating that the attack vector is local, the attack complexity is low, and it requires low privileges with no user interaction.

This vulnerability affects the Linux kernel versions prior to 6.12.11 and certain release candidates in the 6.13 series.

Technical Analysis

The root cause of the vulnerability stems from error handling in the AFS code, which fails to properly release locks under certain conditions. This is critical as it can lead to a denial of service if an attacker can trigger this condition.

The attack vector is local, meaning that an attacker must have access to the system to exploit this vulnerability. The complexity of the attack is low, as it does not require advanced skills or user interaction.

The impact on availability is high, as the retained locks can cause the system to become unresponsive.

Risk & Impact Analysis

The real-world risk to organizations includes potential service disruption, particularly in environments relying on the Linux kernel for critical operations. The blast radius for this vulnerability could be significant if exploited in a multi-tenant environment.

Given the CVSS score of 5.5, organizations should address this issue in their priority patch cycle to avoid potential service interruptions.

The urgency for patching is categorized as medium, but with the risk of denial of service, organizations are advised to act sooner rather than later.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The following versions of the Linux kernel are affected by this vulnerability: all versions prior to 6.12.11 and 6.13 release candidates (rc1 through rc6).

Mitigation & Remediation

Organizations should update to the latest patched version of the Linux kernel to mitigate this vulnerability. The patches addressing this issue can be found in the official Linux kernel repositories.

In instances where immediate patching is not feasible, organizations may review their configurations for security hardening and implement monitoring solutions to detect potential exploitation attempts.

For additional resources and best practices, organizations can refer to our vulnerability management program design.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unusual activity associated with the AFS subsystem and inode locks.

Behavioral anomalies in user space processes that interact with the AFS should also be flagged for review.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability lies in its demonstration of the complexities involved in kernel-level programming, particularly with resource management.

Security teams should consider this as a reminder of the importance of thorough testing and validation of kernel patches, as even minor changes can introduce significant risks.

For further insights on similar vulnerabilities, organizations may benefit from our guide on Linux security best practices, as well as our comprehensive penetration testing methodology guide.

Ultimately, proactive measures and regular security assessments are critical to safeguarding systems against vulnerabilities like CVE-2025-21672.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-21672: Medium Vulnerability in Linux Kernel