CVE-2025-39717
In the Linux kernel, the following vulnerability has been resolved: open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE As described in commit 7a54947e727b ('Merge patch series "fs: allow changing idmappings"'), open_tree_attr(2) was necessary in order to allow for a detached mount to be created and have its idmappings changed without the risk of any racing threads operating on it. For this reason, mount_setattr(2) still does not allow for id-mappings to be changed. However, there was a bug in commit 2462651ffa76 ("fs: allow changing idmappings") which allowed users to bypass this restriction by calling open_tree_attr(2) *without* OPEN_TREE_CLONE. can_idmap_mount() prevented this bug from allowing an attached mountpoint's id-mapping from being modified (thanks to an is_anon_ns() check), but this still allows for detached (but visible) mounts to have their be id-mapping changed. This risks the same UAF and locking issues as described in the merge commit, and was likely unintentional.
EPSS 0.03% · 8.7th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| linux | linux_kernel | 6.15, 6.15, 6.15 |
| Linux | Linux | 2462651ffa76b87f9c2e4403ef6e6b89b703fb2f, 6.15, 0 |
Exploit Intelligence
- https://git.kernel.org/stable/c/69dbdc711d9130136824e3830191a6afffa0a1f0 (circl)
- https://git.kernel.org/stable/c/9308366f062129d52e0ee3f7a019f7dd41db33df (circl)
- TestCaseRule-CVE-2025-38555.yara (github-yara)
- TestCaseRule-CVE-2025-38555.yara (github-yara)
- TestCaseRule-CVE-2025-38555.yara (github-yara)
- TestCaseRule-CVE-2025-38555.yara (github-yara)
- TestCaseRule-CVE-2025-38555.yara (github-yara)
Timeline
- Jan 21, 1970 Security Advisory
- Sep 5, 2025 Coalition ESS Score
- Sep 5, 2025 CVE Published
- Sep 6, 2025 EPSS Score
- Sep 8, 2025 Coalition ESS Score
- Sep 13, 2025 EPSS Score
- Sep 21, 2025 EPSS Score
- Sep 28, 2025 EPSS Score
- Oct 4, 2025 Coalition ESS Score
- Oct 6, 2025 EPSS Score
- Oct 6, 2025 Coalition ESS Score
- Oct 9, 2025 Coalition ESS Score