{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-38499", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.022Z", "datePublished": "2025-08-11T16:01:08.257Z", "dateUpdated": "2025-11-03T17:39:08.627Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-08-28T14:43:32.428Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won't expose something\nhidden by a mount we wouldn't be able to undo. \"Wouldn't be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere's a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/namespace.c"], "versions": [{"version": "427215d85e8d1476da1a86b8d67aceb485eb3631", "lessThan": "36fecd740de2d542d2091d65d36554ee2bcf9c65", "status": "affected", "versionType": "git"}, {"version": "427215d85e8d1476da1a86b8d67aceb485eb3631", "lessThan": "d717325b5ecf2a40daca85c61923e17f32306179", "status": "affected", "versionType": "git"}, {"version": "427215d85e8d1476da1a86b8d67aceb485eb3631", "lessThan": "dc6a664089f10eab0fb36b6e4f705022210191d2", "status": "affected", "versionType": "git"}, {"version": "427215d85e8d1476da1a86b8d67aceb485eb3631", "lessThan": "e77078e52fbf018ab986efb3c79065ab35025607", "status": "affected", "versionType": "git"}, {"version": "427215d85e8d1476da1a86b8d67aceb485eb3631", "lessThan": "38628ae06e2a37770cd794802a3f1310cf9846e3", "status": "affected", "versionType": "git"}, {"version": "427215d85e8d1476da1a86b8d67aceb485eb3631", "lessThan": "c28f922c9dcee0e4876a2c095939d77fe7e15116", "status": "affected", "versionType": "git"}, {"version": "c6e8810d25295acb40a7b69ed3962ff181919571", "status": "affected", "versionType": "git"}, {"version": "e3eee87c846dc47f6d8eb6d85e7271f24122a279", "status": "affected", "versionType": "git"}, {"version": "517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce", "status": "affected", "versionType": "git"}, {"version": "963d85d630dabe75a3cfde44a006fec3304d07b8", "status": "affected", "versionType": "git"}, {"version": "812f39ed5b0b7f34868736de3055c92c7c4cf459", "status": "affected", "versionType": "git"}, {"version": "6a002d48a66076524f67098132538bef17e8445e", "status": "affected", "versionType": "git"}, {"version": "41812f4b84484530057513478c6770590347dc30", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/namespace.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.190", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.147", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.100", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.40", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.3", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "5.15.190"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.1.147"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.6.100"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.12.40"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.15.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.281"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.280"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.244"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.204"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.141"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.59"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13.11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/36fecd740de2d542d2091d65d36554ee2bcf9c65"}, {"url": "https://git.kernel.org/stable/c/d717325b5ecf2a40daca85c61923e17f32306179"}, {"url": "https://git.kernel.org/stable/c/dc6a664089f10eab0fb36b6e4f705022210191d2"}, {"url": "https://git.kernel.org/stable/c/e77078e52fbf018ab986efb3c79065ab35025607"}, {"url": "https://git.kernel.org/stable/c/38628ae06e2a37770cd794802a3f1310cf9846e3"}, {"url": "https://git.kernel.org/stable/c/c28f922c9dcee0e4876a2c095939d77fe7e15116"}], "title": "clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T17:39:08.627Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won't expose something\nhidden by a mount we wouldn't be able to undo. \"Wouldn't be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere's a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: clone_private_mnt(): asegurar que el llamador tenga CAP_SYS_ADMIN en los usuarios correctos. Lo que queremos es verificar que clone no exponga algo oculto por un montaje que no podamos deshacer. \"No se puede deshacer\" puede ser el resultado de MNT_LOCKED en un hijo, pero tambi\u00e9n puede provenir de la falta de derechos de administrador en los usuarios del espacio de nombres al que pertenece el montaje. clone_private_mnt() comprueba lo primero, pero no lo segundo. Hay varias comprobaciones de CAP_SYS_ADMIN bastante confusas en varios usuarios durante el montaje, especialmente con la nueva API de montaje; tienen diferentes prop\u00f3sitos y, en el caso de clone_private_mnt(), generalmente, aunque no siempre, cubren la comprobaci\u00f3n faltante mencionada anteriormente."}], "id": "CVE-2025-38499", "lastModified": "2025-11-03T18:16:25.993", "metrics": {}, "published": "2025-08-11T16:15:30.057", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/36fecd740de2d542d2091d65d36554ee2bcf9c65"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/38628ae06e2a37770cd794802a3f1310cf9846e3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c28f922c9dcee0e4876a2c095939d77fe7e15116"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d717325b5ecf2a40daca85c61923e17f32306179"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dc6a664089f10eab0fb36b6e4f705022210191d2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e77078e52fbf018ab986efb3c79065ab35025607"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns", "id": "2387670", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387670"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-38499", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38499\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38499\nhttps://lore.kernel.org/linux-cve-announce/2025081112-CVE-2025-38499-4572@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-08-12T07:41:42.380778+00:00", "updated": "2025-08-12T07:41:42.380851+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}