CVE-2025-39717 in Linux
Summary
by MITRE • 09/05/2025
In the Linux kernel, the following vulnerability has been resolved:
open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE
As described in commit 7a54947e727b ('Merge patch series "fs: allow changing idmappings"'), open_tree_attr(2) was necessary in order to allow for a detached mount to be created and have its idmappings changed without the risk of any racing threads operating on it. For this reason, mount_setattr(2) still does not allow for id-mappings to be changed.
However, there was a bug in commit 2462651ffa76 ("fs: allow changing idmappings") which allowed users to bypass this restriction by calling open_tree_attr(2) *without* OPEN_TREE_CLONE.
can_idmap_mount() prevented this bug from allowing an attached mountpoint's id-mapping from being modified (thanks to an is_anon_ns() check), but this still allows for detached (but visible) mounts to have their be id-mapping changed. This risks the same UAF and locking issues as described in the merge commit, and was likely unintentional.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability described in CVE-2025-39717 represents a critical flaw in the Linux kernel's handling of mount namespace id-mapping operations, specifically affecting the open_tree_attr system call interface. This issue stems from an improper restriction mechanism that was intended to prevent race conditions during id-mapping changes while maintaining system stability. The vulnerability manifests when users can bypass intended security controls by invoking open_tree_attr without the required OPEN_TREE_CLONE flag, creating a pathway for unauthorized modification of detached mount points' identity mappings.
The technical flaw resides in the kernel's mount attribute management subsystem where the can_idmap_mount() function was designed to prevent modifications to attached mountpoints but failed to adequately restrict detached mounts that remain visible within the namespace. This creates a scenario where malicious actors can manipulate id-mappings on detached mounts through the open_tree_attr system call, effectively circumventing the security controls established in commit 7a54947e727b that aimed to prevent race conditions and related vulnerabilities. The vulnerability directly relates to CWE-362, which describes concurrent execution issues that can lead to race conditions, and specifically addresses improper restriction of operations within a recognized security domain.
The operational impact of this vulnerability extends beyond simple privilege escalation to include potential system instability and security boundary violations. When detached mounts can have their id-mappings modified without proper safeguards, it creates opportunities for use-after-free conditions and locking inconsistencies that were specifically mitigated in the original design. The risk is particularly severe because it allows for modifications to mount points that may be in use or transitioning between states, potentially leading to memory corruption or privilege escalation attacks. This vulnerability effectively undermines the kernel's namespace isolation mechanisms and can be leveraged to manipulate the identity mapping of file system objects in ways that were never intended by the security model.
Mitigation strategies for this vulnerability require immediate kernel updates to address the specific logic flaw in the mount attribute handling code. System administrators should ensure that all systems are running patched kernel versions that properly enforce the OPEN_TREE_CLONE requirement for id-mapping changes. The recommended approach involves implementing proper validation checks that ensure any attempt to modify id-mappings through open_tree_attr must be accompanied by the appropriate clone flag, thereby preventing the bypass mechanism that enables unauthorized modifications. Additionally, monitoring should be implemented to detect unusual patterns of mount attribute operations that might indicate exploitation attempts, particularly focusing on the intersection of open_tree_attr calls with id-mapping modifications. Organizations should also review their current kernel security configurations and ensure that appropriate access controls are in place to limit who can invoke these potentially dangerous system calls.
This vulnerability demonstrates the complexity of maintaining security in kernel-level namespace management systems and highlights the importance of proper access control enforcement even in seemingly benign system calls. The issue represents a failure in the principle of least privilege where the system allowed operations that should have been restricted based on the mount state and intended usage patterns. The ATT&CK framework classification would place this under privilege escalation techniques, specifically targeting kernel-level security controls through manipulation of system call interfaces. The vulnerability underscores the necessity of comprehensive testing of security controls in kernel space, particularly around operations that modify system state in ways that can affect security boundaries and namespace isolation.