CVE-2025-39717 (GCVE-0-2025-39717)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2026-05-11 21:34
VLAI
Title
open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE
Summary
In the Linux kernel, the following vulnerability has been resolved: open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE As described in commit 7a54947e727b ('Merge patch series "fs: allow changing idmappings"'), open_tree_attr(2) was necessary in order to allow for a detached mount to be created and have its idmappings changed without the risk of any racing threads operating on it. For this reason, mount_setattr(2) still does not allow for id-mappings to be changed. However, there was a bug in commit 2462651ffa76 ("fs: allow changing idmappings") which allowed users to bypass this restriction by calling open_tree_attr(2) *without* OPEN_TREE_CLONE. can_idmap_mount() prevented this bug from allowing an attached mountpoint's id-mapping from being modified (thanks to an is_anon_ns() check), but this still allows for detached (but visible) mounts to have their be id-mapping changed. This risks the same UAF and locking issues as described in the merge commit, and was likely unintentional.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 2462651ffa76b87f9c2e4403ef6e6b89b703fb2f , < 69dbdc711d9130136824e3830191a6afffa0a1f0 (git)
Affected: 2462651ffa76b87f9c2e4403ef6e6b89b703fb2f , < 9308366f062129d52e0ee3f7a019f7dd41db33df (git)
Create a notification for this product.
Linux Linux Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.16.4 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/namespace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "69dbdc711d9130136824e3830191a6afffa0a1f0",
              "status": "affected",
              "version": "2462651ffa76b87f9c2e4403ef6e6b89b703fb2f",
              "versionType": "git"
            },
            {
              "lessThan": "9308366f062129d52e0ee3f7a019f7dd41db33df",
              "status": "affected",
              "version": "2462651ffa76b87f9c2e4403ef6e6b89b703fb2f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/namespace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopen_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE\n\nAs described in commit 7a54947e727b (\u0027Merge patch series \"fs: allow\nchanging idmappings\"\u0027), open_tree_attr(2) was necessary in order to\nallow for a detached mount to be created and have its idmappings changed\nwithout the risk of any racing threads operating on it. For this reason,\nmount_setattr(2) still does not allow for id-mappings to be changed.\n\nHowever, there was a bug in commit 2462651ffa76 (\"fs: allow changing\nidmappings\") which allowed users to bypass this restriction by calling\nopen_tree_attr(2) *without* OPEN_TREE_CLONE.\n\ncan_idmap_mount() prevented this bug from allowing an attached\nmountpoint\u0027s id-mapping from being modified (thanks to an is_anon_ns()\ncheck), but this still allows for detached (but visible) mounts to have\ntheir be id-mapping changed. This risks the same UAF and locking issues\nas described in the merge commit, and was likely unintentional."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:53.958Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/69dbdc711d9130136824e3830191a6afffa0a1f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/9308366f062129d52e0ee3f7a019f7dd41db33df"
        }
      ],
      "title": "open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39717",
    "datePublished": "2025-09-05T17:21:24.528Z",
    "dateReserved": "2025-04-16T07:20:57.117Z",
    "dateUpdated": "2026-05-11T21:34:53.958Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-39717",
      "date": "2026-05-27",
      "epss": "0.00026",
      "percentile": "0.07733"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-39717\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-05T18:15:49.260\",\"lastModified\":\"2025-11-25T17:48:11.943\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nopen_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE\\n\\nAs described in commit 7a54947e727b (\u0027Merge patch series \\\"fs: allow\\nchanging idmappings\\\"\u0027), open_tree_attr(2) was necessary in order to\\nallow for a detached mount to be created and have its idmappings changed\\nwithout the risk of any racing threads operating on it. For this reason,\\nmount_setattr(2) still does not allow for id-mappings to be changed.\\n\\nHowever, there was a bug in commit 2462651ffa76 (\\\"fs: allow changing\\nidmappings\\\") which allowed users to bypass this restriction by calling\\nopen_tree_attr(2) *without* OPEN_TREE_CLONE.\\n\\ncan_idmap_mount() prevented this bug from allowing an attached\\nmountpoint\u0027s id-mapping from being modified (thanks to an is_anon_ns()\\ncheck), but this still allows for detached (but visible) mounts to have\\ntheir be id-mapping changed. This risks the same UAF and locking issues\\nas described in the merge commit, and was likely unintentional.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.15\",\"versionEndExcluding\":\"6.16.4\",\"matchCriteriaId\":\"7F0ABA2F-347D-450F-A06E-234E055E7302\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"327D22EF-390B-454C-BD31-2ED23C998A1C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"C730CD9A-D969-4A8E-9522-162AAF7C0EE9\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/69dbdc711d9130136824e3830191a6afffa0a1f0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9308366f062129d52e0ee3f7a019f7dd41db33df\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.