Home

Description

In the Linux kernel, the following vulnerability has been resolved: open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE As described in commit 7a54947e727b ('Merge patch series "fs: allow changing idmappings"'), open_tree_attr(2) was necessary in order to allow for a detached mount to be created and have its idmappings changed without the risk of any racing threads operating on it. For this reason, mount_setattr(2) still does not allow for id-mappings to be changed. However, there was a bug in commit 2462651ffa76 ("fs: allow changing idmappings") which allowed users to bypass this restriction by calling open_tree_attr(2) *without* OPEN_TREE_CLONE. can_idmap_mount() prevented this bug from allowing an attached mountpoint's id-mapping from being modified (thanks to an is_anon_ns() check), but this still allows for detached (but visible) mounts to have their be id-mapping changed. This risks the same UAF and locking issues as described in the merge commit, and was likely unintentional.

PUBLISHED Reserved 2025-04-16 | Published 2025-09-05 | Updated 2025-09-29 | Assigner Linux

Product status

Default status
unaffected

2462651ffa76b87f9c2e4403ef6e6b89b703fb2f (git) before 69dbdc711d9130136824e3830191a6afffa0a1f0
affected

2462651ffa76b87f9c2e4403ef6e6b89b703fb2f (git) before 9308366f062129d52e0ee3f7a019f7dd41db33df
affected

Default status
affected

6.15
affected

Any version before 6.15
unaffected

6.16.4 (semver)
unaffected

6.17 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/69dbdc711d9130136824e3830191a6afffa0a1f0

git.kernel.org/...c/9308366f062129d52e0ee3f7a019f7dd41db33df

cve.org (CVE-2025-39717)

nvd.nist.gov (CVE-2025-39717)

Download JSON