{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-22072", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.814Z", "datePublished": "2025-04-16T14:12:24.571Z", "dateUpdated": "2025-11-03T19:41:52.282Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-26T05:17:51.679Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspufs: fix gang directory lifetimes\n\nprior to \"[POWERPC] spufs: Fix gang destroy leaks\" we used to have\na problem with gang lifetimes - creation of a gang returns opened\ngang directory, which normally gets removed when that gets closed,\nbut if somebody has created a context belonging to that gang and\nkept it alive until the gang got closed, removal failed and we\nended up with a leak.\n\nUnfortunately, it had been fixed the wrong way. Dentry of gang\ndirectory was no longer pinned, and rmdir on close was gone.\nOne problem was that failure of open kept calling simple_rmdir()\nas cleanup, which meant an unbalanced dput(). Another bug was\nin the success case - gang creation incremented link count on\nroot directory, but that was no longer undone when gang got\ndestroyed.\n\nFix consists of\n\t* reverting the commit in question\n\t* adding a counter to gang, protected by ->i_rwsem\nof gang directory inode.\n\t* having it set to 1 at creation time, dropped\nin both spufs_dir_close() and spufs_gang_close() and bumped\nin spufs_create_context(), provided that it's not 0.\n\t* using simple_recursive_removal() to take the gang\ndirectory out when counter reaches zero."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/powerpc/platforms/cell/spufs/gang.c", "arch/powerpc/platforms/cell/spufs/inode.c", "arch/powerpc/platforms/cell/spufs/spufs.h"], "versions": [{"version": "877907d37da9694a34adc9dc3e2ce09400148cb5", "lessThan": "880e7b3da2e765c1f90c94c0539be039e96c7062", "status": "affected", "versionType": "git"}, {"version": "877907d37da9694a34adc9dc3e2ce09400148cb5", "lessThan": "324f280806aab28ef757aecc18df419676c10ef8", "status": "affected", "versionType": "git"}, {"version": "877907d37da9694a34adc9dc3e2ce09400148cb5", "lessThan": "029d8c711f5e5fe8cf63e8a4a1a140a06e224e45", "status": "affected", "versionType": "git"}, {"version": "877907d37da9694a34adc9dc3e2ce09400148cb5", "lessThan": "903733782f3ae28a2f7fe4dfb47c7fe3e079a528", "status": "affected", "versionType": "git"}, {"version": "877907d37da9694a34adc9dc3e2ce09400148cb5", "lessThan": "fc646a6c6d14b5d581f162a7e32999f789e3a3ac", "status": "affected", "versionType": "git"}, {"version": "877907d37da9694a34adc9dc3e2ce09400148cb5", "lessThan": "c134deabf4784e155d360744d4a6a835b9de4dd4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/powerpc/platforms/cell/spufs/gang.c", "arch/powerpc/platforms/cell/spufs/inode.c", "arch/powerpc/platforms/cell/spufs/spufs.h"], "versions": [{"version": "2.6.22", "status": "affected"}, {"version": "0", "lessThan": "2.6.22", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.134", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.87", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.23", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.11", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.2", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.22", "versionEndExcluding": "6.1.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.22", "versionEndExcluding": "6.6.87"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.22", "versionEndExcluding": "6.12.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.22", "versionEndExcluding": "6.13.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.22", "versionEndExcluding": "6.14.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.22", "versionEndExcluding": "6.15"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/880e7b3da2e765c1f90c94c0539be039e96c7062"}, {"url": "https://git.kernel.org/stable/c/324f280806aab28ef757aecc18df419676c10ef8"}, {"url": "https://git.kernel.org/stable/c/029d8c711f5e5fe8cf63e8a4a1a140a06e224e45"}, {"url": "https://git.kernel.org/stable/c/903733782f3ae28a2f7fe4dfb47c7fe3e079a528"}, {"url": "https://git.kernel.org/stable/c/fc646a6c6d14b5d581f162a7e32999f789e3a3ac"}, {"url": "https://git.kernel.org/stable/c/c134deabf4784e155d360744d4a6a835b9de4dd4"}], "title": "spufs: fix gang directory lifetimes", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:41:52.282Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7D78018-09B2-438A-BDB7-F4182E5E081C", "versionEndExcluding": "6.1.134", "versionStartIncluding": "2.6.23", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFF24260-49B1-4251-9477-C564CFDAD25B", "versionEndExcluding": "6.6.87", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "26CAB76D-F00F-43CE-BEAD-7097F8FB1D6C", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.22:-:*:*:*:*:*:*", "matchCriteriaId": "7F7D6C66-3384-4ACC-9D08-C5A26B4FD004", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.22:rc5:*:*:*:*:*:*", "matchCriteriaId": "830B8340-2B8F-4F0A-8943-F4413411573C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.22:rc6:*:*:*:*:*:*", "matchCriteriaId": "D123AAFE-3F17-45C4-9382-BA392FD022C4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.22:rc7:*:*:*:*:*:*", "matchCriteriaId": "E0C256E6-2691-4478-A51C-DE580A717AB9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspufs: fix gang directory lifetimes\n\nprior to \"[POWERPC] spufs: Fix gang destroy leaks\" we used to have\na problem with gang lifetimes - creation of a gang returns opened\ngang directory, which normally gets removed when that gets closed,\nbut if somebody has created a context belonging to that gang and\nkept it alive until the gang got closed, removal failed and we\nended up with a leak.\n\nUnfortunately, it had been fixed the wrong way. Dentry of gang\ndirectory was no longer pinned, and rmdir on close was gone.\nOne problem was that failure of open kept calling simple_rmdir()\nas cleanup, which meant an unbalanced dput(). Another bug was\nin the success case - gang creation incremented link count on\nroot directory, but that was no longer undone when gang got\ndestroyed.\n\nFix consists of\n\t* reverting the commit in question\n\t* adding a counter to gang, protected by ->i_rwsem\nof gang directory inode.\n\t* having it set to 1 at creation time, dropped\nin both spufs_dir_close() and spufs_gang_close() and bumped\nin spufs_create_context(), provided that it's not 0.\n\t* using simple_recursive_removal() to take the gang\ndirectory out when counter reaches zero."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spufs: corrige la duraci\u00f3n del directorio de pandillas. Antes de \"[POWERPC] spufs: corrige las fugas de destrucci\u00f3n de pandillas\", ten\u00edamos un problema con la duraci\u00f3n de las pandillas: al crear una pandilla, se devolv\u00eda el directorio de pandillas abierto, que normalmente se elimina al cerrarse. Sin embargo, si alguien creaba un contexto perteneciente a esa pandilla y lo manten\u00eda activo hasta que se cerraba, la eliminaci\u00f3n fallaba y se produc\u00eda una fuga. Desafortunadamente, se solucion\u00f3 incorrectamente. La dentry del directorio de pandillas ya no estaba fijada y rmdir al cerrar se hab\u00eda eliminado. Un problema era que, al fallar la apertura, se segu\u00eda llamando a simple_rmdir() como limpieza, lo que implicaba un dput() desequilibrado. Otro error, en el caso de \u00e9xito, era que la creaci\u00f3n de una pandilla incrementaba el n\u00famero de enlaces en el directorio ra\u00edz, pero esto ya no se deshac\u00eda al destruirla. La soluci\u00f3n consiste en: * revertir el commit en cuesti\u00f3n * a\u00f1adir un contador a la pandilla, protegido por ->i_rwsem del inodo del directorio de pandillas. * tenerlo establecido en 1 en el momento de la creaci\u00f3n, descartado tanto en spufs_dir_close() como en spufs_gang_close() y agregado en spufs_create_context(), siempre que no sea 0. * usar simple_recursive_removal() para sacar el directorio de pandillas cuando el contador llega a cero."}], "id": "CVE-2025-22072", "lastModified": "2025-11-03T20:17:42.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-16T15:16:01.390", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/029d8c711f5e5fe8cf63e8a4a1a140a06e224e45"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/324f280806aab28ef757aecc18df419676c10ef8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/880e7b3da2e765c1f90c94c0539be039e96c7062"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/903733782f3ae28a2f7fe4dfb47c7fe3e079a528"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c134deabf4784e155d360744d4a6a835b9de4dd4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fc646a6c6d14b5d581f162a7e32999f789e3a3ac"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: spufs: fix gang directory lifetimes", "id": "2360245", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2360245"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nspufs: fix gang directory lifetimes\nprior to \"[POWERPC] spufs: Fix gang destroy leaks\" we used to have\na problem with gang lifetimes - creation of a gang returns opened\ngang directory, which normally gets removed when that gets closed,\nbut if somebody has created a context belonging to that gang and\nkept it alive until the gang got closed, removal failed and we\nended up with a leak.\nUnfortunately, it had been fixed the wrong way. Dentry of gang\ndirectory was no longer pinned, and rmdir on close was gone.\nOne problem was that failure of open kept calling simple_rmdir()\nas cleanup, which meant an unbalanced dput(). Another bug was\nin the success case - gang creation incremented link count on\nroot directory, but that was no longer undone when gang got\ndestroyed.\nFix consists of\n* reverting the commit in question\n* adding a counter to gang, protected by ->i_rwsem\nof gang directory inode.\n* having it set to 1 at creation time, dropped\nin both spufs_dir_close() and spufs_gang_close() and bumped\nin spufs_create_context(), provided that it's not 0.\n* using simple_recursive_removal() to take the gang\ndirectory out when counter reaches zero."], "name": "CVE-2025-22072", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22072\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22072\nhttps://lore.kernel.org/linux-cve-announce/2025041610-CVE-2025-22072-83bd@gregkh/T"], "threat_severity": "Low"}