logo_clicknbuy.png

CVE-2025-21834 – Docker Seccomp Uretprobe Passthrough Vulnerability

The following table lists the changes that have been made to the
CVE-2025-21834 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Mar. 06, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved:

    seccomp: passthrough uretprobe systemcall without filtering

    When attaching uretprobes to processes running inside docker, the attached
    process is segfaulted when encountering the retprobe.

    The reason is that now that uretprobe is a system call the default seccomp
    filters in docker block it as they only allow a specific set of known
    syscalls. This is true for other userspace applications which use seccomp
    to control their syscall surface.

    Since uretprobe is a “kernel implementation detail” system call which is
    not used by userspace application code directly, it is impractical and
    there’s very little point in forcing all userspace applications to
    explicitly allow it in order to avoid crashing tracked processes.

    Pass this systemcall through seccomp without depending on configuration.

    Note: uretprobe is currently only x86_64 and isn’t expected to ever be
    supported in i386.

    [kees: minimized changes for easier backporting, tweaked commit log]
    Added Reference https://git.kernel.org/stable/c/5a262628f4cf2437d863fe41f9d427177b87664c
    Added Reference https://git.kernel.org/stable/c/cf6cb56ef24410fb5308f9655087f1eddf4452e6
    Added Reference https://git.kernel.org/stable/c/fa80018aa5be10c35e9fa896b7b4061a8dce3eed
Share the Post:

Related Posts