CVE-2025-22072 Affecting linux-virt package, versions <6.12.24-r0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-MINIMOSLATEST-LINUXVIRT-13804620
- published2 Nov 2025
- disclosed16 Apr 2025
Introduced: 16 Apr 2025
CVE-2025-22072 (opens in a new tab)How to fix?
Upgrade Minimos:latest linux-virt to version 6.12.24-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream linux-virt package and not the linux-virt package as distributed by Minimos.
See How to fix? for Minimos:latest relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
spufs: fix gang directory lifetimes
prior to "[POWERPC] spufs: Fix gang destroy leaks" we used to have a problem with gang lifetimes - creation of a gang returns opened gang directory, which normally gets removed when that gets closed, but if somebody has created a context belonging to that gang and kept it alive until the gang got closed, removal failed and we ended up with a leak.
Unfortunately, it had been fixed the wrong way. Dentry of gang directory was no longer pinned, and rmdir on close was gone. One problem was that failure of open kept calling simple_rmdir() as cleanup, which meant an unbalanced dput(). Another bug was in the success case - gang creation incremented link count on root directory, but that was no longer undone when gang got destroyed.
Fix consists of * reverting the commit in question * adding a counter to gang, protected by ->i_rwsem of gang directory inode. * having it set to 1 at creation time, dropped in both spufs_dir_close() and spufs_gang_close() and bumped in spufs_create_context(), provided that it's not 0. * using simple_recursive_removal() to take the gang directory out when counter reaches zero.
References
- https://www.cve.org/CVERecord?id=CVE-2025-22072
- https://github.com/advisories/GHSA-v6rx-qqxh-7pj6
- https://osv.dev/vulnerability/MINI-q5wq-m49g-w4r2
- https://osv.dev/vulnerability/CVE-2025-22072
- https://git.kernel.org/stable/c/029d8c711f5e5fe8cf63e8a4a1a140a06e224e45
- https://git.kernel.org/stable/c/324f280806aab28ef757aecc18df419676c10ef8
- https://git.kernel.org/stable/c/880e7b3da2e765c1f90c94c0539be039e96c7062
- https://git.kernel.org/stable/c/903733782f3ae28a2f7fe4dfb47c7fe3e079a528
- https://git.kernel.org/stable/c/c134deabf4784e155d360744d4a6a835b9de4dd4
- https://git.kernel.org/stable/c/fc646a6c6d14b5d581f162a7e32999f789e3a3ac
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html