CVE-2025-38498
Description
In the Linux kernel, the following vulnerability has been resolved:
do_change_type(): refuse to operate on unmounted/not ours mounts
Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, do_change_type() lacked proper mount namespace checks, allowing unprivileged users to change propagation settings on mounts in other namespaces; fixed by validating mount ownership.
The vulnerability resides in the do_change_type() function in the Linux kernel, which is responsible for changing mount propagation flags (e.g., MS_SLAVE, MS_SHARED). The root cause is that the function did not verify whether the target mount belongs to the caller's mount namespace before applying the change, unlike other mount operations that enforce such checks.
An unprivileged local attacker could exploit this by invoking mount(2) with appropriate flags on a mount that does not belong to their namespace. This bypasses the intended namespace isolation, allowing the attacker to modify propagation settings of mounts owned by other namespaces.
Successful exploitation could enable an attacker to interfere with mount event propagation, potentially leading to denial of service or information disclosure across namespace boundaries. The CVSS v3 base score is 5.5 (Medium), reflecting the need for local access and the potential for limited impact.
The Linux kernel community addressed this issue in commits [3] and [4] by adding a check that ensures the mount is both mounted and belongs to the caller's namespace. Users should update to the latest stable kernel version containing these patches.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 2.6.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- git.kernel.org/stable/c/064014f7812744451d5d0592f3d2bcd727f2ee93nvdPatch
- git.kernel.org/stable/c/12f147ddd6de7382dad54812e65f3f08d05809fcnvdPatch
- git.kernel.org/stable/c/19554c79a2095ddde850906a067915c1ef3a4114nvdPatch
- git.kernel.org/stable/c/432a171d60056489270c462e651e6c3a13f855b1nvdPatch
- git.kernel.org/stable/c/4f091ad0862b02dc42a19a120b7048de848561f8nvdPatch
- git.kernel.org/stable/c/787937c4e373f1722c4343e5a5a4eb0f8543e589nvdPatch
- git.kernel.org/stable/c/9c1ddfeb662b668fff69c5f1cfdd9f5d23d55d23nvdPatch
- git.kernel.org/stable/c/c7d11fdf8e5db5f34a6c062c7e6ba3a0971879d2nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlnvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-082556.htmlnvd
- cert-portal.siemens.com/productcert/html/ssa-089022.htmlnvd
News mentions
0No linked articles in our index yet.