AZL-64013

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64013.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-64013

Upstream

CVE-2025-38058

Published

2025-06-18T10:15:38Z

Modified

2026-04-01T05:20:15.026665Z

Summary

CVE-2025-38058 affecting package kernel for versions less than 6.6.96.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

__legitimizemnt(): check for MNTSYNCUMOUNT should be under mountlock

... or we risk stealing final mntput from sync umount - raising mntcount after umount(2) has verified that victim is not busy, but before it has set MNTSYNC_UMOUNT; in that case __legitimizemnt() doesn't see that it's safe to quietly undo mntcount increment and leaves dropping the reference to caller, where it'll be a full-blown mntput().

Check under mount_lock is needed; leaving the current one done before taking that makes no sense - it's nowhere near common enough to bother with.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-38058

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.96.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64013.json"