CVE-2025-39717
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-39717
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39717.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39717
- Downstream
- Published
- 2025-09-05T17:21:24.528Z
- Modified
- 2025-12-02T18:01:35.210124Z
- Summary
- open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
opentreeattr: do not allow id-mapping changes without OPENTREECLONE
As described in commit 7a54947e727b ('Merge patch series "fs: allow changing idmappings"'), opentreeattr(2) was necessary in order to allow for a detached mount to be created and have its idmappings changed without the risk of any racing threads operating on it. For this reason, mount_setattr(2) still does not allow for id-mappings to be changed.
However, there was a bug in commit 2462651ffa76 ("fs: allow changing idmappings") which allowed users to bypass this restriction by calling opentreeattr(2) without OPENTREECLONE.
canidmapmount() prevented this bug from allowing an attached mountpoint's id-mapping from being modified (thanks to an isanonns() check), but this still allows for detached (but visible) mounts to have their be id-mapping changed. This risks the same UAF and locking issues as described in the merge commit, and was likely unintentional.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39717.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/69dbdc711d9130136824e3830191a6afffa0a1f0
- https://git.kernel.org/stable/c/9308366f062129d52e0ee3f7a019f7dd41db33df
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39717.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-39717