Bug 2429082 (CVE-2025-68814)

Summary: CVE-2025-68814 kernel: Linux kernel: Memory leak in io_uring's __io_openat_prep() leading to denial of service
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's io_uring subsystem. A local user could exploit this vulnerability due to a memory leak in the __io_openat_prep() function. This occurs when a file is installed in the fixed file table with the O_CLOEXEC flag set, leading to the struct filename memory not being properly cleaned up. This memory leak could result in a denial of service (DoS) on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-01-13 16:05:29 UTC 
In the Linux kernel, the following vulnerability has been resolved:

io_uring: fix filename leak in __io_openat_prep()

 __io_openat_prep() allocates a struct filename using getname(). However,
for the condition of the file being installed in the fixed file table as
well as having O_CLOEXEC flag set, the function returns early. At that
point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,
the memory for the newly allocated struct filename is not cleaned up,
causing a memory leak.

Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the
successful getname() call, so that when the request is torn down, the
filename will be cleaned up, along with other resources needing cleanup.
Comment 1 Jon Moroney 2026-01-15 00:39:48 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026011312-CVE-2025-68814-146a@gregkh/T