-

CVE-2025-39717

In the Linux kernel, the following vulnerability has been resolved:

open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE

As described in commit 7a54947e727b ('Merge patch series "fs: allow
changing idmappings"'), open_tree_attr(2) was necessary in order to
allow for a detached mount to be created and have its idmappings changed
without the risk of any racing threads operating on it. For this reason,
mount_setattr(2) still does not allow for id-mappings to be changed.

However, there was a bug in commit 2462651ffa76 ("fs: allow changing
idmappings") which allowed users to bypass this restriction by calling
open_tree_attr(2) *without* OPEN_TREE_CLONE.

can_idmap_mount() prevented this bug from allowing an attached
mountpoint's id-mapping from being modified (thanks to an is_anon_ns()
check), but this still allows for detached (but visible) mounts to have
their be id-mapping changed. This risks the same UAF and locking issues
as described in the merge commit, and was likely unintentional.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLinux
Product Linux
Default Statusunaffected
Version < 69dbdc711d9130136824e3830191a6afffa0a1f0
Version 2462651ffa76b87f9c2e4403ef6e6b89b703fb2f
Status affected
Version < 9308366f062129d52e0ee3f7a019f7dd41db33df
Version 2462651ffa76b87f9c2e4403ef6e6b89b703fb2f
Status affected
VendorLinux
Product Linux
Default Statusaffected
Version 6.15
Status affected
Version < 6.15
Version 0
Status unaffected
Version <= 6.16.*
Version 6.16.4
Status unaffected
Version <= *
Version 6.17-rc3
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.03% 0.059
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string