CVE-2025-68351

Description

In the Linux kernel, the following vulnerability has been resolved: exfat: fix refcount leak in exfat_find Fix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`. Function `exfat_get_dentry_set` would increase the reference counter of `es->bh` on success. Therefore, `exfat_put_dentry_set` must be called after `exfat_get_dentry_set` to ensure refcount consistency. This patch relocate two checks to avoid possible leaks.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:* - VULNERABLE

Linux内核 exfat驱动 (受影响的稳定版本需查看git提交记录)

涉及git commit: 9aee8de970f18c2aaaa348e3de86c38e2d956c1d

涉及git commit: d009ff8959d28d2a33aeb96a5f7e7161c421d78f

涉及git commit: fc9ce762525e73438d31b613f18bca92a4d3d578

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// This is a kernel-level vulnerability that requires local access
// No public PoC available. The vulnerability is triggered through
// normal file system operations on exfat partitions.

#include <stdio.h>

/*
 * Note: This vulnerability is in the Linux kernel exfat driver.
 * Triggering requires:
 * 1. A system with exfat filesystem mounted
 * 2. Local access with low privileges
 * 3. File system operations that call exfat_find
 * 
 * The actual exploitation involves:
 * - Creating/manipulating files on exfat partition
 * - Causing exfat_find to be called with specific conditions
 * - Triggering the refcount leak path
 * 
 * This is a resource management bug, not directly exploitable
 * for code execution. It leads to DoS through resource exhaustion.
 */

int main() {
    printf("CVE-2025-68351 PoC - Kernel exfat refcount leak\n");
    printf("This requires kernel debugging/exploitation framework\n");
    printf("Not directly exploitable from user space\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68351
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68351
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68351/
[4] VulDB https://vuldb.com/cve/CVE-2025-68351
[5] https://git.kernel.org/stable/c/9aee8de970f18c2aaaa348e3de86c38e2d956c1d
[6] https://git.kernel.org/stable/c/d009ff8959d28d2a33aeb96a5f7e7161c421d78f
[7] https://git.kernel.org/stable/c/fc9ce762525e73438d31b613f18bca92a4d3d578

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68351", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-12-24T11:15:58.447", "lastModified": "2026-02-26T15:53:25.697", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix refcount leak in exfat_find\n\nFix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.\n\nFunction `exfat_get_dentry_set` would increase the reference counter of\n`es->bh` on success. Therefore, `exfat_put_dentry_set` must be called\nafter `exfat_get_dentry_set` to ensure refcount consistency. This patch\nrelocate two checks to avoid possible leaks."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.23", "versionEndExcluding": "6.12.68", "matchCriteriaId": "28943D23-3250-40EE-B96D-D85863D638ED"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.59", "versionEndExcluding": "6.13", "matchCriteriaId": "1323075B-EB55-4141-B0AB-902D5B5D1EC2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.11", "versionEndExcluding": "6.14", "matchCriteriaId": "124AE182-7E9F-4410-9E08-5976ED49C6A4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14.1", "versionEndExcluding": "6.18.2", "matchCriteriaId": "8B01DCEF-D70D-4DFC-B763-72CBBD6EC614"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*", "matchCriteriaId": "7DE421BA-0600-4401-A175-73CAB6A6FB4E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc6:*:*:*:*:*:*", "matchCriteriaId": "1759FFB7-531C-41B1-9AE1-FD3D80E0D920"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc7:*:*:*:*:*:*", "matchCriteriaId": "AD948719-8628-4421-A340-1066314BBD4A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9aee8de970f18c2aaaa348e3de86c38e2d956c1d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d009ff8959d28d2a33aeb96a5f7e7161c421d78f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fc9ce762525e73438d31b613f18bca92a4d3d578", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}