CVE-2025-21834

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> seccomp: passthrough uretprobe systemcall without filtering<br /> <br /> When attaching uretprobes to processes running inside docker, the attached<br /> process is segfaulted when encountering the retprobe.<br /> <br /> The reason is that now that uretprobe is a system call the default seccomp<br /> filters in docker block it as they only allow a specific set of known<br /> syscalls. This is true for other userspace applications which use seccomp<br /> to control their syscall surface.<br /> <br /> Since uretprobe is a "kernel implementation detail" system call which is<br /> not used by userspace application code directly, it is impractical and<br /> there&amp;#39;s very little point in forcing all userspace applications to<br /> explicitly allow it in order to avoid crashing tracked processes.<br /> <br /> Pass this systemcall through seccomp without depending on configuration.<br /> <br /> Note: uretprobe is currently only x86_64 and isn&amp;#39;t expected to ever be<br /> supported in i386.<br /> <br /> [kees: minimized changes for easier backporting, tweaked commit log]