CVE-2025-68183

Published: Dec 16, 2025

Modified: May 11, 2026

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with "ima_appraise=fix evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include <stdio.h> #include <sys/xattr.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <stdlib.h> int main() { const char* file_path = "/usr/sbin/test_binary"; const char* hex_string = "030204d33204490066306402304"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror("Error opening file"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]); } if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } const char* selinux_value= "system_u:object_r:bin_t:s0"; if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } close(fd); return 0; }

Vendor	Product	Versions
Linux	Linux	affected `e3ccfe1ad7d895487977ef64eda3441d16c9851a - < d2993a7e98eb70c737c6f5365a190e79c72b8407` affected `e3ccfe1ad7d895487977ef64eda3441d16c9851a - < edd824eb45e4f7e05ad3ab090dab6dbdb79cd292` affected `e3ccfe1ad7d895487977ef64eda3441d16c9851a - < 02aa671c08a4834bef5166743a7b88686fbfa023` affected `e3ccfe1ad7d895487977ef64eda3441d16c9851a - < 88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd`
Linux	Linux	affected `5.14` unaffected `0 - < 5.14` unaffected `6.6.117 - <= 6.6.` unaffected `6.12.58 - <= 6.12.` unaffected `6.17.8 - <= 6.17.*` +1 more versions

References

https://git.kernel.org/stable/c/d2993a7e98eb70c737c6f5365a190e79c72b8407

https://git.kernel.org/stable/c/edd824eb45e4f7e05ad3ab090dab6dbdb79cd292

https://git.kernel.org/stable/c/02aa671c08a4834bef5166743a7b88686fbfa023

https://git.kernel.org/stable/c/88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-68183

Description

Affected Products

References