CVE-2025-39717 — Vulnetix

CVE-2025-39717 PUBLISHED CVSS 7.800000190734863 HIGH

In the Linux kernel, the following vulnerability has been resolved: open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE As described in commit 7a54947e727b ('Merge patch series "fs: allow changing idmappings"'), open_tree_attr(2) was necessary in order to allow for a detached mount to be created and have its idmappings changed without the risk of any racing threads operating on it. For this reason, mount_setattr(2) still does not allow for id-mappings to be changed. However, there was a bug in commit 2462651ffa76 ("fs: allow changing idmappings") which allowed users to bypass this restriction by calling open_tree_attr(2) *without* OPEN_TREE_CLONE. can_idmap_mount() prevented this bug from allowing an attached mountpoint's id-mapping from being modified (thanks to an is_anon_ns() check), but this still allows for detached (but visible) mounts to have their be id-mapping changed. This risks the same UAF and locking issues as described in the merge commit, and was likely unintentional.

EPSS 0.02% · 4.7th percentile

Risk Scores

CVSS v3.1

7.800000190734863

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.02%

4.7th percentile

Affected Products

Vendor	Product	Versions
linux	linux_kernel	6.15, 6.15, 6.15
Linux	Linux	2462651ffa76b87f9c2e4403ef6e6b89b703fb2f, 6.17, 2462651ffa76b87f9c2e4403ef6e6b89b703fb2f

Timeline

Jan 21, 1970 Security Advisory
Sep 5, 2025 Coalition ESS Score
Sep 5, 2025 CVE Published
Sep 6, 2025 EPSS Score
Sep 8, 2025 Coalition ESS Score
Sep 13, 2025 EPSS Score
Sep 20, 2025 EPSS Score
Sep 27, 2025 EPSS Score
Oct 4, 2025 EPSS Score
Oct 4, 2025 Coalition ESS Score
Oct 6, 2025 Coalition ESS Score
Oct 9, 2025 Coalition ESS Score

References

Open in Interactive Console →