{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38499","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.022Z","datePublished":"2025-08-11T16:01:08.257Z","dateUpdated":"2026-05-12T12:05:11.848Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:29:12.146Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won't expose something\nhidden by a mount we wouldn't be able to undo.  \"Wouldn't be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere's a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/namespace.c"],"versions":[{"version":"427215d85e8d1476da1a86b8d67aceb485eb3631","lessThan":"36fecd740de2d542d2091d65d36554ee2bcf9c65","status":"affected","versionType":"git"},{"version":"427215d85e8d1476da1a86b8d67aceb485eb3631","lessThan":"d717325b5ecf2a40daca85c61923e17f32306179","status":"affected","versionType":"git"},{"version":"427215d85e8d1476da1a86b8d67aceb485eb3631","lessThan":"dc6a664089f10eab0fb36b6e4f705022210191d2","status":"affected","versionType":"git"},{"version":"427215d85e8d1476da1a86b8d67aceb485eb3631","lessThan":"e77078e52fbf018ab986efb3c79065ab35025607","status":"affected","versionType":"git"},{"version":"427215d85e8d1476da1a86b8d67aceb485eb3631","lessThan":"38628ae06e2a37770cd794802a3f1310cf9846e3","status":"affected","versionType":"git"},{"version":"427215d85e8d1476da1a86b8d67aceb485eb3631","lessThan":"c28f922c9dcee0e4876a2c095939d77fe7e15116","status":"affected","versionType":"git"},{"version":"c6e8810d25295acb40a7b69ed3962ff181919571","status":"affected","versionType":"git"},{"version":"e3eee87c846dc47f6d8eb6d85e7271f24122a279","status":"affected","versionType":"git"},{"version":"517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce","status":"affected","versionType":"git"},{"version":"963d85d630dabe75a3cfde44a006fec3304d07b8","status":"affected","versionType":"git"},{"version":"812f39ed5b0b7f34868736de3055c92c7c4cf459","status":"affected","versionType":"git"},{"version":"6a002d48a66076524f67098132538bef17e8445e","status":"affected","versionType":"git"},{"version":"41812f4b84484530057513478c6770590347dc30","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/namespace.c"],"versions":[{"version":"5.14","status":"affected"},{"version":"0","lessThan":"5.14","status":"unaffected","versionType":"semver"},{"version":"5.15.190","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.147","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.100","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.40","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.3","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"5.15.190"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.1.147"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.6.100"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.12.40"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.15.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.281"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.280"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.244"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.204"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.141"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13.11"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/36fecd740de2d542d2091d65d36554ee2bcf9c65"},{"url":"https://git.kernel.org/stable/c/d717325b5ecf2a40daca85c61923e17f32306179"},{"url":"https://git.kernel.org/stable/c/dc6a664089f10eab0fb36b6e4f705022210191d2"},{"url":"https://git.kernel.org/stable/c/e77078e52fbf018ab986efb3c79065ab35025607"},{"url":"https://git.kernel.org/stable/c/38628ae06e2a37770cd794802a3f1310cf9846e3"},{"url":"https://git.kernel.org/stable/c/c28f922c9dcee0e4876a2c095939d77fe7e15116"}],"title":"clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:39:08.627Z"}},{"x_adpType":"supplier","providerMetadata":{"orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP","dateUpdated":"2026-05-12T12:05:11.848Z"},"affected":[{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html"}]}]}}