CVE-2025-38396
published 2025-07-25CVE-2025-38396: In the Linux kernel, the following vulnerability has been resolved: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Export…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass
Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create
anonymous inodes with proper security context. This replaces the current
pattern of calling alloc_anon_inode() followed by
inode_init_security_anon() for creating security context manually.
This change also fixes a security regression in secretmem where the
S_PRIVATE flag was not cleared after alloc_anon_inode(), causing
LSM/SELinux checks to be bypassed for secretmem file descriptors.
As guest_memfd currently resides in the KVM module, we need to export this
symbol for use outside the core kernel. In the future, guest_memfd might be
moved to core-mm, at which point the symbols no longer would have to be
exported. When/if that happens is still unclear.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 2bfe15c5261212130f1a71f32a300bcf426443d4 < 66d29d757c968d2bee9124816da5d718eb352959 | 66d29d757c968d2bee9124816da5d718eb352959 |
| linux | linux | >= 2bfe15c5261212130f1a71f32a300bcf426443d4 < e3eed01347721cd7a8819568161c91d538fbf229 | e3eed01347721cd7a8819568161c91d538fbf229 |
| linux | linux | >= 2bfe15c5261212130f1a71f32a300bcf426443d4 < f94c422157f3e43dd31990567b3e5d54b3e5b32b | f94c422157f3e43dd31990567b3e5d54b3e5b32b |
| linux | linux | >= 2bfe15c5261212130f1a71f32a300bcf426443d4 < 6ca45ea48530332a4ba09595767bd26d3232743b | 6ca45ea48530332a4ba09595767bd26d3232743b |
| linux | linux | >= 2bfe15c5261212130f1a71f32a300bcf426443d4 < cbe4134ea4bc493239786220bd69cb8a13493190 | cbe4134ea4bc493239786220bd69cb8a13493190 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 6.12.37-1 | 6.12.37-1 |
| linux | linux_kernel | >= 0 < 6.12.37-1 | 6.12.37-1 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 6.0 < 6.1.146 | 6.1.146 |
| linux | linux_kernel | >= 6.13 < 6.15.6 | 6.15.6 |
| linux | linux_kernel | >= 6.2 < 6.6.97 | 6.6.97 |
| linux | linux_kernel | >= 6.7 < 6.12.37 | 6.12.37 |
| msrc | azl3_kernel_6.6.96.2-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.96.2-2_on_azure_linux_3.0 | — | — |
| ubuntu | linux-aws | — | — |
| ubuntu | linux-aws-6.8 | — | — |
| ubuntu | linux-gkeop | — | — |
| ubuntu | linux-nvidia | — | — |
| ubuntu | linux-nvidia-6.8 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH