Acknowledged
Created: Jul 28, 2025
Updated: Jul 29, 2025
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass[EOL][EOL]Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create[EOL]anonymous inodes with proper security context. This replaces the current[EOL]pattern of calling alloc_anon_inode() followed by[EOL]inode_init_security_anon() for creating security context manually.[EOL][EOL]This change also fixes a security regression in secretmem where the[EOL]S_PRIVATE flag was not cleared after alloc_anon_inode(), causing[EOL]LSM/SELinux checks to be bypassed for secretmem file descriptors.[EOL][EOL]As guest_memfd currently resides in the KVM module, we need to export this[EOL]symbol for use outside the core kernel. In the future, guest_memfd might be[EOL]moved to core-mm, at which point the symbols no longer would have to be[EOL]exported. When/if that happens is still unclear.
CREATE(Triage):(User=admin) [CVE-2025-38396 (https://nvd.nist.gov/vuln/detail/CVE-2025-38396)
