AZL-56285

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-56285.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-56285

Upstream

CVE-2025-21672

Published

2025-01-31T12:15:28Z

Modified

2026-04-01T05:19:44.477759Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

CVE-2025-21672 affecting package kernel 5.15.200.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

afs: Fix merge preference rule failure condition

syzbot reported a lock held when returning to userspace[1]. This is because if argc is less than 0 and the function returns directly, the held inode lock is not released.

Fix this by store the error in ret and jump to done to clean up instead of returning directly.

[dh: Modified Lizhi Xu's original patch to make it honour the error code from afssplitstring()]

[1] WARNING: lock held when returning to user space!

6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted

syz-executor133/5823 is leaving the kernel with locks still held! 1 lock held by syz-executor133/5823: #0: ffff888071cffc00 (&sb->stype->imutexkey#9){++++}-{4:4}, at: inodelock include/linux/fs.h:818 [inline] #0: ffff888071cffc00 (&sb->stype->imutexkey#9){++++}-{4:4}, at: afsprocaddrprefswrite+0x2bb/0x14e0 fs/afs/addrprefs.c:388

References

https://nvd.nist.gov/vuln/detail/CVE-2025-21672

Affected packages

Azure Linux:2 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.15.200.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-56285.json"