CVE-2025-40203

The vulnerability resides in the listmount() function of the Linux kernel. The function was calling path_put() while still holding the namespace semaphore (namespace_sem). If path_put() releases the last reference to a mount or path, it can trigger additional cleanup that may attempt to acquire the same semaphore, leading to a deadlock (self-deadlock, "we're fscked") [1].

To exploit this, an attacker would need to trigger the listmount() code path under conditions where the path_put() call results in the final reference being dropped. This is a kernel-level bug that does not require special privileges beyond being able to invoke the affected syscall or operation; the deadlock can lead to a denial of service (system hang or crash) [1].

The impact is a potential denial-of-service condition. If the deadlock occurs, the entire system may become unresponsive or crash, affecting all users and services. There is no evidence of privilege escalation or data compromise from this bug itself [1].

The fix has been applied in the Linux kernel stable tree. The patch [1] reworks listmount() to ensure path_put() is called after releasing the namespace semaphore, preventing the deadlock. Users should update to a kernel version containing this commit or a later one that includes it [1].