Acknowledged
Created: Aug 11, 2025
Updated: Aug 13, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns[EOL][EOL]What we want is to verify there is that clone won't expose something[EOL]hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo"[EOL]may be a result of MNT_LOCKED on a child, but it may also come from[EOL]lacking admin rights in the userns of the namespace mount belongs to.[EOL][EOL]clone_private_mnt() checks the former, but not the latter.[EOL][EOL]There's a number of rather confusing CAP_SYS_ADMIN checks in various[EOL]userns during the mount, especially with the new mount API; they serve[EOL]different purposes and in case of clone_private_mnt() they usually,[EOL]but not always end up covering the missing check mentioned above.
CREATE(Triage):(User=lchen-cn) [CVE-2025-38499 (https://nvd.nist.gov/vuln/detail/CVE-2025-38499)
