平台
rust
组件
youki
修复版本
0.5.8
0.5.7
CVE-2025-62596 is a critical Denial of Service (DoS) vulnerability affecting the youki AppArmor handler. The vulnerability arises from insufficient write-target validation combined with path substitution during pathname resolution, allowing attackers to write to unintended locations within the procfs filesystem. Successful exploitation could lead to system instability and denial of service. This vulnerability impacts versions prior to 0.5.7 and has been resolved in version 0.5.7.
The core of the vulnerability lies in youki's weak write-target check. While it verifies that the destination resides within the procfs directory, it fails to prevent redirection to sensitive files. This is compounded by path substitution during pathname resolution, where a shared-mount race condition can be exploited. For example, a write intended for /proc/self/attr/apparmor/exec could be successfully redirected to /proc/sys/kernel/hostname, both of which are located within procfs. This allows an attacker to potentially overwrite critical kernel parameters or disrupt system processes, leading to a denial of service. The blast radius is significant, as successful exploitation could impact the entire system's stability and availability.
CVE-2025-62596 was published on 2025-11-05. The CVSS score of 10 (Critical) indicates a high probability of exploitation. Currently, there are no publicly known Proof-of-Concept (POC) exploits, but the vulnerability's severity and the ease of potential exploitation suggest it may become a target for attackers. The EPSS score is likely to be assessed as high due to the critical CVSS score and the potential for widespread impact. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
漏洞利用状态
EPSS
0.06% (18% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-62596 is to upgrade to version 0.5.7 of youki. This version includes the necessary fixes to address the insufficient write-target validation and prevent path substitution vulnerabilities. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the procfs filesystem using AppArmor profiles. Carefully review and harden existing AppArmor configurations to minimize the potential attack surface. Monitoring system logs for unusual write activity to procfs locations can also aid in early detection of potential exploitation attempts. After upgrading, confirm the fix by attempting to trigger the vulnerable path substitution scenario and verifying that the write is now denied.
Actualice youki a la versión 0.5.7 o superior. Esta versión corrige la validación de escritura y evita la manipulación de rutas que permiten la escalada de privilegios y la denegación de servicio. La actualización se puede realizar descargando la última versión desde el repositorio oficial o utilizando el gestor de paquetes correspondiente.
漏洞分析和关键警报直接发送到您的邮箱。
It's a critical Denial of Service (DoS) vulnerability in the youki AppArmor handler, allowing unauthorized writes to procfs, potentially disrupting system operations.
You are affected if you are using youki versions prior to 0.5.7. Check your version and upgrade immediately.
Upgrade to youki version 0.5.7. If immediate upgrade isn't possible, restrict access to procfs using AppArmor profiles as a temporary workaround.
No public exploits are currently known, but the high CVSS score suggests a potential for exploitation. Monitor security advisories.
Refer to the official CVE entry on the NVD website (https://nvd.nist.gov/vuln/detail/CVE-2025-62596) and any relevant security advisories from your distribution.
上传你的 Cargo.lock 文件,立即知道是否受影响。