{"id":"CVE-2025-38499","summary":"clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won't expose something\nhidden by a mount we wouldn't be able to undo.  \"Wouldn't be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere's a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.","modified":"2026-04-02T12:48:00.470389Z","published":"2025-08-11T16:01:08.257Z","related":["ALSA-2025:23241","ALSA-2025:23279","SUSE-SU-2025:03204-1","SUSE-SU-2025:03272-1","SUSE-SU-2025:03283-1","SUSE-SU-2025:03290-1","SUSE-SU-2025:03301-1","SUSE-SU-2025:03310-1","SUSE-SU-2025:03314-1","SUSE-SU-2025:03344-1","SUSE-SU-2025:03382-1","SUSE-SU-2025:03383-1","SUSE-SU-2025:03384-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:03636-1","SUSE-SU-2025:03638-1","SUSE-SU-2025:03643-1","SUSE-SU-2025:03646-1","SUSE-SU-2025:03650-1","SUSE-SU-2025:03652-1","SUSE-SU-2025:03653-1","SUSE-SU-2025:03656-1","SUSE-SU-2025:03662-1","SUSE-SU-2025:03663-1","SUSE-SU-2025:03664-1","SUSE-SU-2025:03666-1","SUSE-SU-2025:03671-1","SUSE-SU-2025:03672-1","SUSE-SU-2025:20653-1","SUSE-SU-2025:20669-1","SUSE-SU-2025:20739-1","SUSE-SU-2025:20756-1","SUSE-SU-2025:20873-1","SUSE-SU-2025:20874-1","SUSE-SU-2025:20875-1","SUSE-SU-2025:20876-1","SUSE-SU-2025:20877-1","SUSE-SU-2025:20878-1","SUSE-SU-2025:20879-1","SUSE-SU-2025:20880-1","SUSE-SU-2025:20881-1","SUSE-SU-2025:20882-1","SUSE-SU-2025:20883-1","SUSE-SU-2025:20884-1","SUSE-SU-2025:20885-1","SUSE-SU-2025:20886-1","SUSE-SU-2025:20887-1","SUSE-SU-2025:20888-1","SUSE-SU-2025:20889-1","SUSE-SU-2025:20890-1","SUSE-SU-2025:20891-1","SUSE-SU-2025:20902-1","SUSE-SU-2025:20903-1","SUSE-SU-2025:20904-1","SUSE-SU-2025:20905-1","SUSE-SU-2025:20906-1","SUSE-SU-2025:20907-1","SUSE-SU-2025:20908-1","SUSE-SU-2025:20909-1","SUSE-SU-2025:20912-1","SUSE-SU-2025:20913-1","SUSE-SU-2025:20914-1","SUSE-SU-2025:20915-1","SUSE-SU-2025:20916-1","SUSE-SU-2025:20917-1","SUSE-SU-2025:20918-1","SUSE-SU-2025:20919-1","SUSE-SU-2025:20920-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3675-1","SUSE-SU-2025:3679-1","SUSE-SU-2025:3683-1","SUSE-SU-2025:3703-1","SUSE-SU-2025:3704-1","SUSE-SU-2025:3705-1","SUSE-SU-2025:3712-1","SUSE-SU-2025:3717-1","SUSE-SU-2025:3720-1","SUSE-SU-2025:3721-1","SUSE-SU-2025:3731-1","SUSE-SU-2025:3733-1","SUSE-SU-2025:3734-1","SUSE-SU-2025:3736-1","SUSE-SU-2025:3740-1","SUSE-SU-2025:3742-1","SUSE-SU-2025:3748-1","SUSE-SU-2025:3755-1","SUSE-SU-2025:3762-1","SUSE-SU-2025:3764-1","SUSE-SU-2025:3765-1","SUSE-SU-2025:3768-1","SUSE-SU-2025:3770-1","SUSE-SU-2025:3771-1","SUSE-SU-2025:3772-1","SUSE-SU-2025:4123-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38499.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/36fecd740de2d542d2091d65d36554ee2bcf9c65"},{"type":"WEB","url":"https://git.kernel.org/stable/c/38628ae06e2a37770cd794802a3f1310cf9846e3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c28f922c9dcee0e4876a2c095939d77fe7e15116"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d717325b5ecf2a40daca85c61923e17f32306179"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dc6a664089f10eab0fb36b6e4f705022210191d2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e77078e52fbf018ab986efb3c79065ab35025607"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38499.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38499"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"427215d85e8d1476da1a86b8d67aceb485eb3631"},{"fixed":"36fecd740de2d542d2091d65d36554ee2bcf9c65"},{"fixed":"d717325b5ecf2a40daca85c61923e17f32306179"},{"fixed":"dc6a664089f10eab0fb36b6e4f705022210191d2"},{"fixed":"e77078e52fbf018ab986efb3c79065ab35025607"},{"fixed":"38628ae06e2a37770cd794802a3f1310cf9846e3"},{"fixed":"c28f922c9dcee0e4876a2c095939d77fe7e15116"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"c6e8810d25295acb40a7b69ed3962ff181919571"},{"last_affected":"e3eee87c846dc47f6d8eb6d85e7271f24122a279"},{"last_affected":"517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce"},{"last_affected":"963d85d630dabe75a3cfde44a006fec3304d07b8"},{"last_affected":"812f39ed5b0b7f34868736de3055c92c7c4cf459"},{"last_affected":"6a002d48a66076524f67098132538bef17e8445e"},{"last_affected":"41812f4b84484530057513478c6770590347dc30"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38499.json"}}],"schema_version":"1.7.5"}