CVE-2025-39798

A vulnerability in the Linux kernel's NFS implementation was discovered, tracked as CVE-2025-39798. The root cause lies in the automounting logic for new NFS filesystems. When the kernel crosses into a newly mounted filesystem, capabilities are not properly reset to minimal defaults before being probed again. This oversight means that capabilities from the parent mount can be incorrectly inherited by the child mount, bypassing the intended security boundary.

An attacker would require local access to a system that performs NFS automounting. The exploitation vector involves triggering an NFS automount event, which could be achieved through standard filesystem operations such as traversing into an automount point. No special privileges beyond standard user access are needed to trigger the mount, but the attack surface is limited to systems configured with NFS automount functionality.

The impact is an elevation of privilege or ability to perform operations that the automounted filesystem should not allow. By inheriting capabilities from the parent, a process operating within the automounted filesystem might gain unintended permissions, such as performing privileged operations like mounting additional filesystems or modifying protected kernel settings. The CVSS v3 base score of 5.5 reflects a medium severity, indicating a moderate risk to confidentiality, integrity, and availability [1].

As of publication, patches are available in the Linux kernel stable tree. The fix is included in commits to the kernel's stable release branches [3][4]. Administrators are strongly recommended to update their kernels to versions that include the fix, as the referenced Siemens advisory also lists this CVE among affected products [1][2]. No known exploits have been publicly reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.