CVE-2025-39717

HIGH

Linux Kernel 6.15-6.16.3 - Use-After-Free via open_tree_attr Without OPEN_TREE_CLONE

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE As described in commit 7a54947e727b ('Merge patch series "fs: allow changing idmappings"'), open_tree_attr(2) was necessary in order to allow for a detached mount to be created and have its idmappings changed without the risk of any racing threads operating on it. For this reason, mount_setattr(2) still does not allow for id-mappings to be changed. However, there was a bug in commit 2462651ffa76 ("fs: allow changing idmappings") which allowed users to bypass this restriction by calling open_tree_attr(2) *without* OPEN_TREE_CLONE. can_idmap_mount() prevented this bug from allowing an attached mountpoint's id-mapping from being modified (thanks to an is_anon_ns() check), but this still allows for detached (but visible) mounts to have their be id-mapping changed. This risks the same UAF and locking issues as described in the merge commit, and was likely unintentional.

References (2)

Core 2

Core References

Patch

https://git.kernel.org/stable/c/69dbdc711d9130136824e3830191a6afffa0a1f0

Patch

https://git.kernel.org/stable/c/9308366f062129d52e0ee3f7a019f7dd41db33df

Scores

CVSS v3 7.8

EPSS 0.0014

EPSS Percentile 3.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-416

Status published

Products (9)

linux/Kernel 6.15.0 - 6.16.4linux

Linux/Linux < 6.15

Linux/Linux 2462651ffa76b87f9c2e4403ef6e6b89b703fb2f - 69dbdc711d9130136824e3830191a6afffa0a1f0

Linux/Linux 2462651ffa76b87f9c2e4403ef6e6b89b703fb2f - 9308366f062129d52e0ee3f7a019f7dd41db33df

Linux/Linux 6.15

Linux/Linux 6.16.4 - 6.16.*

Linux/Linux 6.17

linux/linux_kernel 6.17 rc1 (2 CPE variants)

linux/linux_kernel 6.15 - 6.16.4

Published Sep 05, 2025

Tracked Since Feb 18, 2026