LiveActive security incident?Get immediate response
CVE Record

CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns

In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come from lacking admin rights in the userns of the namespace mount belongs to. clone_private_mnt() checks the former, but not the latter. There's a number of rather confusing CAP_SYS_ADMIN checks in various userns during the mount, especially with the new mount API; they serve different purposes and in case of clone_private_mnt() they usually, but not always end up covering the missing check mentioned above.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2025-38499 is a Linux kernel mount-namespace permission bug. The kernel did not always confirm CAP_SYS_ADMIN in the correct user namespace before cloning a private mount, which could expose mount-hidden content the caller should not be able to reveal. Public severity and CVSS are not provided in the bundle.

Executive priority

Treat this as a kernel hygiene and multi-tenant risk item. There is no cited active exploitation or CVSS score, but affected Linux hosts supporting containers or untrusted users should be prioritized for normal emergency-capable patch cycles.

Technical view

The issue is in clone_private_mnt(). It checked MNT_LOCKED child-mount constraints but missed a user-namespace capability check tied to the namespace owning the mount. The source says existing CAP_SYS_ADMIN checks often, but not always, covered this path. Linux stable commits are referenced as fixes.

Likely exposure

Exposure is most relevant on Linux systems running affected kernel versions, especially hosts with untrusted local users, container workloads, or user namespace and mount namespace activity. The bundle does not identify specific distributions beyond referenced Debian LTS and Siemens advisories.

Exploitation context

The bundle marks KEV as false and provides no evidence of active exploitation, public exploit availability, or remote attackability. Based on the description, exploitation would require reaching kernel mount-namespace behavior under specific local/user-namespace conditions, but exact prerequisites are not fully stated.

Researcher notes

The key research point is the missing CAP_SYS_ADMIN check in the mount owner user namespace inside clone_private_mnt(). The public bundle does not provide a CWE, CVSS vector, proof of concept, or complete distribution matrix, so validation should rely on kernel and vendor advisories.

Mitigation direction

  • Apply Linux kernel updates containing the referenced stable fixes.
  • Check distribution and vendor advisories for package-specific fixed versions.
  • Prioritize multi-tenant, container, and untrusted-user Linux hosts.
  • Review Debian LTS and Siemens guidance if those environments apply.
  • Avoid inventing compensating controls; follow vendor hardening guidance.

Validation and detection

  • Inventory running kernel versions across Linux hosts.
  • Compare kernels against vendor advisories and fixed stable updates.
  • Identify systems allowing untrusted local or containerized workloads.
  • Confirm updated kernels are loaded after reboot.
  • Track remediation exceptions for vendor-managed appliances.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-38499 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
9Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux427215d85e8d1476da1a86b8d67aceb485eb3631, 427215d85e8d1476da1a86b8d67aceb485eb3631, 427215d85e8d1476da1a86b8d67aceb485eb3631, 427215d85e8d1476da1a86b8d67aceb485eb3631, 427215d85e8d1476da1a86b8d67aceb485eb3631, 427215d85e8d1476da1a86b8d67aceb485eb3631, c6e8810d25295acb40a7b69ed3962ff181919571, e3eee87c846dc47f6d8eb6d85e7271f24122a279, 517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce, 963d85d630dabe75a3cfde44a006fec3304d07b8, 812f39ed5b0b7f34868736de3055c92c7c4cf459, 6a002d48a66076524f67098132538bef17e8445e, 41812f4b84484530057513478c6770590347dc30, 4.4.281, 4.9.280, 4.14.244, 4.19.204, 5.4.141, 5.10.59, 5.13.11unaffected
LinuxLinux5.14, 0, 5.15.190, 6.1.147, 6.6.100, 6.12.40, 6.15.3, 6.16affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.