{"id":"CVE-2025-21887","summary":"ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up","details":"In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up\n\nThe issue was caused by dput(upper) being called before\novl_dentry_update_reval(), while upper-\u003ed_flags was still\naccessed in ovl_dentry_remote().\n\nMove dput(upper) after its last use to prevent use-after-free.\n\nBUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]\nBUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167\n\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n ovl_dentry_remote fs/overlayfs/util.c:162 [inline]\n ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167\n ovl_link_up fs/overlayfs/copy_up.c:610 [inline]\n ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170\n ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223\n ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136\n vfs_rename+0xf84/0x20a0 fs/namei.c:4893\n...\n \u003c/TASK\u003e","modified":"2026-03-20T12:41:13.563212Z","published":"2025-03-27T14:57:14.524Z","related":["ALSA-2025:10379","SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20206-1","SUSE-SU-2025:20270-1","SUSE-SU-2025:20283-1","USN-7521-2"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21887.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3594aad97e7be2557ca9fa9c931b206b604028c8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4b49d939b5a79117f939b77cc67efae2694d9799"},{"type":"WEB","url":"https://git.kernel.org/stable/c/60b4b5c1277fc491da9e1e7abab307bfa39c2db7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/64455c8051c3aedc71abb7ec8d47c80301f99f00"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a7c41830ffcd17b2177a95a9b99b270302090c35"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c84e125fff2615b4d9c259e762596134eddd2f27"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f77618291836168eca99e89cd175256f928f5e64"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21887.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21887"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"714ba10a6dd19752a349e59aa875f3288ccb59b9"},{"fixed":"f77618291836168eca99e89cd175256f928f5e64"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"62f29ca45f832e281fc14966ac25f6ff3bd121ca"},{"fixed":"4b49d939b5a79117f939b77cc67efae2694d9799"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e4f2a1feebb3f209a0fca82aa53507a5b8be4d53"},{"fixed":"a7c41830ffcd17b2177a95a9b99b270302090c35"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b07d5cc93e1b28df47a72c519d09d0a836043613"},{"fixed":"64455c8051c3aedc71abb7ec8d47c80301f99f00"},{"fixed":"3594aad97e7be2557ca9fa9c931b206b604028c8"},{"fixed":"60b4b5c1277fc491da9e1e7abab307bfa39c2db7"},{"fixed":"c84e125fff2615b4d9c259e762596134eddd2f27"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"33ab4dd6202f359558a0a2678b94d1b9994c17e5"},{"last_affected":"1ecdc55e5cd9f70f8d7513802971d4cffb9f77af"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21887.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}