July 3, 2026 Stories worth reading. Perspectives worth sharing.
CVE-2025-68736: Landlock Bypass via Disconnected Directory Handling—Threat, Detection, and Response
Cybersecurity

CVE-2025-68736: Landlock Bypass via Disconnected Directory Handling—Threat, Detection, and Response

Mo Wasay June 26, 2026 6 min read
CVE-2025-68736: Landlock Bypass via Disconnected Directory Handling—Threat, Detection, and Response

THREAT BRIEF

On June 2024, Microsoft disclosed CVE-2025-68736, a vulnerability in the Linux Landlock security module related to the handling of disconnected directories. Landlock, merged into the Linux kernel to provide application sandboxing, enforces access control policies on file system objects. The flaw allows attackers to bypass Landlock policies by exploiting improperly handled disconnected directories, potentially escalating privileges or accessing restricted files.

WHAT CHANGED IN THIS RELEASE / ADVISORY

  • Versions Affected: Linux kernels with Landlock support, specifically those prior to the yet-to-be-released patch for CVE-2025-68736. Landlock was upstreamed in Linux 5.13, so all distributions shipping 5.13 or later with Landlock enabled are potentially exposed.
  • Behavioural Change: Previously, Landlock failed to properly check directory ancestry when a directory became disconnected (unlinked or moved from its parent). This allowed processes to interact with files outside of their intended Landlock restrictions.
  • Fix: The upcoming patch ensures disconnected directories are correctly handled and access controls remain enforced regardless of directory link state.

SCOPE & IMPACT

This vulnerability affects any Linux system running a kernel with Landlock enabled (typically, 5.13+), where Landlock is used to sandbox untrusted code, containers, or applications. Distributions known to compile Landlock in by default (e.g., recent Fedora, Ubuntu, and Debian releases) are at higher risk if users or processes actively leverage Landlock for sandboxing. Systems not using Landlock are not exposed.

Impact: A local attacker or compromised process can bypass Landlock file access restrictions, potentially leading to privilege escalation, information disclosure, or unauthorized file modifications. This is especially critical in multi-tenant/containerized environments relying on Landlock for isolation.

HOW IT WORKS

Landlock restricts file system operations by tracking directory ancestry and enforcing defined policy rules. When a directory is “disconnected”—for example, when moved outside of its parent or unlinked from the file system—the original implementation failed to revalidate the ancestry against Landlock rules. Attackers can deliberately disconnect a directory, then access files that should have been restricted, bypassing the intended Landlock policy boundaries. This undermines the core security model Landlock provides.

DETECTION

To check whether your system is potentially exposed:

  • Confirm Landlock is enabled and in use.
  • Identify kernel version and active sandboxing policies.

Run the following Bash script (requires jq and root privileges) to check for Landlock support and active policies:

#!/bin/bash
set -euo pipefail

# Check kernel version
KERNEL_VER=$(uname -r)
MIN_LANDLOCK_VER=5.13

version_ge() {
  [ "$1" = "$2" ] && return 0
  [  "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" = "$2" ]
}

if version_ge "$KERNEL_VER" "$MIN_LANDLOCK_VER"; then
  echo "[INFO] Kernel $KERNEL_VER supports Landlock (>=5.13)."
  if grep -q landlock /proc/filesystems; then
    echo "[INFO] Landlock is supported in this kernel."
    # Check if any processes are using Landlock (best-effort for now)
    if grep -r landlock /proc/*/status 2>/dev/null | grep -q "Landlock"; then
      echo "[ALERT] Some running processes are using Landlock policies."
    else
      echo "[INFO] No active Landlock policies detected in running processes."
    fi
  else
    echo "[INFO] Landlock is not enabled in /proc/filesystems."
  fi
else
  echo "[OK] Kernel $KERNEL_VER is older than 5.13; not exposed."
fi

Note: There is no direct userland API to enumerate all active Landlock policies; this script offers a best-effort check. For containerized environments, audit your sandboxing frameworks for Landlock usage.

REMEDIATION

  • Patch Kernel: Monitor your distribution for the CVE-2025-68736 Landlock patch and apply it as soon as available. If compiling your own kernels, backport the upstream fix once released. Reboot is required after kernel update.
  • Restrict Untrusted Code: Minimize reliance on Landlock as a sole sandboxing control until patched. Layer with seccomp, AppArmor, SELinux, or container isolation where possible.
  • Audit Policies: Review applications and scripts leveraging Landlock to ensure they cannot be trivially bypassed by directory unlinking or manipulation. Harden code to check for directory state changes before allowing sensitive operations.
  • Monitor Logs: Increase monitoring for abnormal file system activity, especially involving directory moves or unlinks by processes under Landlock control.

Remediation Script (Dry Run)

To identify binaries or services using Landlock (dry-run):

#!/bin/bash
set -euo pipefail

echo "[DRY RUN] Listing processes potentially using Landlock:"
ps -eo pid,comm | while read pid comm; do
  if grep -q landlock "/proc/$pid/maps" 2>/dev/null; then
    echo "  PID $pid ($comm) may be using Landlock APIs."
  fi
done

Use this report to prioritize patching/mitigation for identified workloads.

MITIGATION PRIORITY

Immediate: Landlock is often used to sandbox high-risk or privileged code. This vulnerability allows a straightforward policy bypass. Patch as soon as your distribution provides a fix. In the interim, do not trust Landlock for strong isolation and layer with other controls as a compensating measure.

WHAT’S COMING

  • Major Linux distributions are expected to backport the Landlock patch in their next security update window (within weeks of upstream acceptance).
  • Future Landlock releases may introduce more robust ancestry and unlink handling. Monitor kernel mailing lists for backport status if you maintain custom kernels.
  • Vendors may also provide updated Landlock documentation and best-practice guidance once the patch is released.

TREND CHECK

The class of sandbox policy bypasses via improper file system state handling is not new, but increased use of Landlock in modern containerized and application isolation stacks raises the stakes. Landlock is still a young subsystem compared to AppArmor or SELinux—this is not its first bypass, but patches are arriving faster and with more scrutiny. The vendor (Linux kernel community) is demonstrating improving response times, but practitioners should treat Landlock as a defense-in-depth mechanism, not a silver bullet.

No active exploitation has been observed as of this writing, but the simplicity of the bypass path and the ease of local exploitation mean threat actors may soon add this to their arsenal, especially in multi-tenant hosting and SaaS contexts.

RELATED THREATS & ADVISORIES

  • Similar sandbox bypasses have been observed in seccomp, AppArmor, and container runtimes—recent advisories in 2023/2024 reinforce the need for layered controls.
  • Keep an eye on advisories from Docker, Podman, and Kubernetes for upstream mitigations as they may indirectly depend on Landlock for some isolation use cases.

Bottom line: If you use Landlock for sandboxing, patch as soon as possible and layer with additional controls. This vulnerability is easy to exploit and undermines critical isolation guarantees.