CVE-2025-38499

Summary

In the Linux kernel, the following vulnerability has been resolved:

clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns

What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come from lacking admin rights in the userns of the namespace mount belongs to.

clone_private_mnt() checks the former, but not the latter.

There's a number of rather confusing CAP_SYS_ADMIN checks in various userns during the mount, especially with the new mount API; they serve different purposes and in case of clone_private_mnt() they usually, but not always end up covering the missing check mentioned above.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux427215d85e8d1476da1a86b8d67aceb485eb3631 < 36fecd740de2d542d2091d65d36554ee2bcf9c65affected
LinuxLinux427215d85e8d1476da1a86b8d67aceb485eb3631 < d717325b5ecf2a40daca85c61923e17f32306179affected
LinuxLinux427215d85e8d1476da1a86b8d67aceb485eb3631 < dc6a664089f10eab0fb36b6e4f705022210191d2affected
LinuxLinux427215d85e8d1476da1a86b8d67aceb485eb3631 < e77078e52fbf018ab986efb3c79065ab35025607affected
LinuxLinux427215d85e8d1476da1a86b8d67aceb485eb3631 < 38628ae06e2a37770cd794802a3f1310cf9846e3affected
LinuxLinux427215d85e8d1476da1a86b8d67aceb485eb3631 < c28f922c9dcee0e4876a2c095939d77fe7e15116affected
LinuxLinuxc6e8810d25295acb40a7b69ed3962ff181919571affected
LinuxLinuxe3eee87c846dc47f6d8eb6d85e7271f24122a279affected
LinuxLinux517b875dfbf58f0c6c9e32dc90f5cf42d71a42ceaffected
LinuxLinux963d85d630dabe75a3cfde44a006fec3304d07b8affected
LinuxLinux812f39ed5b0b7f34868736de3055c92c7c4cf459affected
LinuxLinux6a002d48a66076524f67098132538bef17e8445eaffected
LinuxLinux41812f4b84484530057513478c6770590347dc30affected
LinuxLinux4.4.281 < 4.5affected
LinuxLinux4.9.280 < 4.10affected
LinuxLinux4.14.244 < 4.15affected
LinuxLinux4.19.204 < 4.20affected
LinuxLinux5.4.141 < 5.5affected
LinuxLinux5.10.59 < 5.11affected
LinuxLinux5.13.11 < 5.14affected
LinuxLinux5.14affected
LinuxLinux0 < 5.14unaffected
LinuxLinux5.15.190 <= 5.15.*unaffected
LinuxLinux6.1.147 <= 6.1.*unaffected
LinuxLinux6.6.100 <= 6.6.*unaffected
LinuxLinux6.12.40 <= 6.12.*unaffected
LinuxLinux6.15.3 <= 6.15.*unaffected
LinuxLinux6.16 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

Additional References

References