CVE-2025-38396

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-38396

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38396.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-38396

Downstream

BELL-CVE-2025-38396

DEBIAN-CVE-2025-38396

DLA-4328-1

DSA-5973-1

ECHO-2f4d-5df6-38b8

OESA-2025-1959

OESA-2025-1960

OESA-2025-1961

RHSA-2025:16904

RHSA-2025:20518

RLSA-2025:16904

RLSA-2025:20518

ROOT-OS-DEBIAN-12-CVE-2025-38396

ROOT-OS-UBUNTU-2404-CVE-2025-38396

SUSE-SU-2025:02853-1

SUSE-SU-2025:02923-1

SUSE-SU-2025:02969-1

SUSE-SU-2025:02996-1

SUSE-SU-2025:02997-1

SUSE-SU-2025:03011-1

SUSE-SU-2025:03023-1

SUSE-SU-2025:03636-1

SUSE-SU-2025:03638-1

SUSE-SU-2025:03646-1

SUSE-SU-2025:03650-1

SUSE-SU-2025:20577-1

SUSE-SU-2025:20586-1

SUSE-SU-2025:20601-1

SUSE-SU-2025:20602-1

SUSE-SU-2025:20873-1

SUSE-SU-2025:20874-1

SUSE-SU-2025:20875-1

SUSE-SU-2025:20876-1

SUSE-SU-2025:20877-1

SUSE-SU-2025:20878-1

SUSE-SU-2025:20879-1

SUSE-SU-2025:20881-1

SUSE-SU-2025:20882-1

SUSE-SU-2025:20883-1

SUSE-SU-2025:20884-1

SUSE-SU-2025:20885-1

SUSE-SU-2025:20886-1

SUSE-SU-2025:20887-1

SUSE-SU-2025:20888-1

SUSE-SU-2025:20890-1

SUSE-SU-2025:20891-1

SUSE-SU-2025:20902-1

SUSE-SU-2025:20903-1

SUSE-SU-2025:20904-1

SUSE-SU-2025:20905-1

SUSE-SU-2025:20906-1

SUSE-SU-2025:20907-1

SUSE-SU-2025:20909-1

SUSE-SU-2025:20912-1

SUSE-SU-2025:20913-1

SUSE-SU-2025:20914-1

SUSE-SU-2025:20915-1

SUSE-SU-2025:20916-1

SUSE-SU-2025:20917-1

SUSE-SU-2025:20918-1

SUSE-SU-2025:20920-1

SUSE-SU-2025:21074-1

SUSE-SU-2025:21139-1

SUSE-SU-2025:21179-1

SUSE-SU-2025:3742-1

SUSE-SU-2025:3748-1

SUSE-SU-2025:3755-1

SUSE-SU-2025:3762-1

SUSE-SU-2025:3764-1

SUSE-SU-2025:3765-1

SUSE-SU-2025:3768-1

SUSE-SU-2025:3771-1

SUSE-SU-2025:3772-1

openSUSE-SU-2025:20081-1

Related

Published

2025-07-25T12:53:40.761Z

Modified

2026-03-20T12:42:50.402275Z

Summary

fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass

Details

In the Linux kernel, the following vulnerability has been resolved:

fs: export anoninodemakesecureinode() and fix secretmem LSM bypass

Export anoninodemakesecureinode() to allow KVM guestmemfd to create anonymous inodes with proper security context. This replaces the current pattern of calling allocanoninode() followed by inodeinitsecurityanon() for creating security context manually.

This change also fixes a security regression in secretmem where the SPRIVATE flag was not cleared after allocanon_inode(), causing LSM/SELinux checks to be bypassed for secretmem file descriptors.

As guestmemfd currently resides in the KVM module, we need to export this symbol for use outside the core kernel. In the future, guestmemfd might be moved to core-mm, at which point the symbols no longer would have to be exported. When/if that happens is still unclear.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38396.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2bfe15c5261212130f1a71f32a300bcf426443d4

Fixed

66d29d757c968d2bee9124816da5d718eb352959

Fixed

e3eed01347721cd7a8819568161c91d538fbf229

Fixed

f94c422157f3e43dd31990567b3e5d54b3e5b32b

Fixed

6ca45ea48530332a4ba09595767bd26d3232743b

Fixed

cbe4134ea4bc493239786220bd69cb8a13493190

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38396.json"