CVE-2025-38499

In the Linux kernel, the following vulnerability has been resolved:

clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns

What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come from lacking admin rights in the userns of the namespace mount belongs to.

clone_private_mnt() checks the former, but not the latter.

There's a number of rather confusing CAP_SYS_ADMIN checks in various userns during the mount, especially with the new mount API; they serve different purposes and in case of clone_private_mnt() they usually, but not always end up covering the missing check mentioned above.

Published: Aug 11, 2025
Updated: Jan 8, 2026
CVE: CVE-2025-38499
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
linux / linux_kernel	4.4.281	4.5
linux / linux_kernel	4.9.280	4.10
linux / linux_kernel	4.14.244	4.15
linux / linux_kernel	4.19.204	4.20
linux / linux_kernel	5.4.141	5.5
linux / linux_kernel	5.10.59	5.11
linux / linux_kernel	5.13.11	5.14
linux / linux_kernel	5.14.1	5.15.190
linux / linux_kernel	5.16	6.1.147
linux / linux_kernel	6.2	6.6.100
linux / linux_kernel	6.7	6.12.40
linux / linux_kernel	6.13	6.15.3
linux / linux_kernel	5.14	5.14.x
linux / linux_kernel	5.14-rc6	5.14-rc6.x
linux / linux_kernel	5.14-rc7	5.14-rc7.x
debian / debian_linux	11.0	11.0.x

Vulnerability Database

318,756

CVE-2025-38499

Deep Security Visibility Without the Complexity