dpkg: dpkg-deb temporary directory permission handling flaw leading to disk exhaustion DoS (CVE-2025-6297) #shorts
Summary
Today we’re talking about CVE-2025-6297, a vulnerability in the dpkg-deb tool used by Debian and its derivatives. This flaw can lead to denial-of-service conditions on systems that repeatedly extract adversarial .deb packages, ultimately filling up disk space or exhausting user quotas.
Product details
The issue affects dpkg versions before commit ed6bbd445dd8800308c67236ba35d08004c98e82 in Debian. Fedora has also shipped fixes: Fedora 41 upgrades dpkg to version 1.22.20 to address the issue, and Fedora 42 includes the same security patch as part of its dpkg update.
Vulnerability type summary
CVE-2025-6297 is a directory-permission and temporary-file sanitation error in dpkg-deb. By not properly sanitizing control archive extraction paths, it allows repeated execution against crafted .deb files to consume all available disk space, causing a local denial of service.
Details of the vulnerability
When dpkg-deb extracts the control member of a .deb into a temporary directory, it assumes that directory cleanup is always permitted. If that directory is placed on a filesystem with quotas or restricted permissions, malicious packages can force dpkg-deb to leave behind large, well-compressible files. Automated or repeated extractions then fill the disk or hit quota limits. Over time this leads to broken package installations, failed upgrades, or full disks that require administrator intervention to clean up.
Conclusion
CVE-2025-6297 is not a remote code execution flaw, but its impact can cripple package management on affected systems. Administrators should immediately upgrade dpkg to the patched versions in Debian and Fedora, remove any leftover temporary files, and verify disk usage. Prompt patching will restore the intended safe-operation guarantees of dpkg-deb.
Watch the full video on YouTube: CVE-2025-6297
Remediation and exploitation details
This chain involves the following actors
- Attacker: crafts and executes malicious package extraction to exhaust disk space
- System Administrator: maintains and secures dpkg environments
This following systems are involved
- Debian dpkg-deb (extract Debian package archives): package installation and manipulation tool
- Temporary Directory (holds extracted control files during dpkg-deb operations): cleanup area for extraction
Attack entry point
- Adversarial .deb package: malformed package with control archive entries that set restrictive permissions on extracted directories
Remediation actions
Exploitation actions
Create a control.tar.* that defines a subdirectory with permissions preventing non-root removal
- Embed a directory 'tmp/' in control.tar.gz and set mode 0555 to block cleanup
Invoke dpkg-deb --control on the malicious .deb in a directory where the user cannot remove files
- mkdir /var/lockdir && chmod 555 /var/lockdir && dpkg-deb --control evil.deb /var/lockdir
Repeat extraction in the same protected directory so leftover control files cannot be deleted
- Run the extraction command hundreds of times to stack up orphaned files
Fill available disk or user quota to prevent further installations or operations
- Subsequent package manager operations fail with 'no space left on device' errors
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82
- [2025-07-01] Debian dpkg vulnerability CVE-2025-6297 allows for privilege escalation through manipulation of unknown data.
- [2025-07-22] Fedora 42 updates to resolve dpkg critical disk usage issue and fix CVE-2025-6297.
- [2025-07-25] Fedora 41 updates dpkg to version 1.22.20 with a critical CVE-2025-6297 security fix and general cleanup.