Hey everyone! I came across a new vulnerability identified as CVE-2025-38499 that affects certain versions of the Linux Kernel (specifically 5.14 and some development versions). This vulnerability deals with the clone_private_mnt() function, where the system doesn't properly verify if the caller has the necessary CAP_SYS_ADMIN privileges, potentially exposing unseen mount points. This could be a big issue for systems using containers or complex mount setups since it bypasses the intended isolation. The kernel maintainers have released patches, and I wanted to spread the word that it's crucial for users to upgrade to the latest secure kernel versions or apply these patches right away. Has anyone else had issues with this or found ways to mitigate it effectively?
5 Answers
Thanks for sharing this! It's crucial to keep updated on vulnerabilities like this to avoid potential disasters.
It's definitely a good idea to get management on board for unattended kernel patches and reboots. As for your question, yes, you can use apt with unattended upgrades to run scripts when it recognizes a reboot is necessary, like for pod drains or failovers. It can handle automated reboots at a set time, or you could check /var/run/reboot-required and plan accordingly later.
That's great to know! Thanks for the tip on checking reboot-required!
For those concerned about the fix, the upstream releases that address this flaw are v6.1.147+, v6.6.100+, v6.12.40+, v6.15.3+, v6.16-rc1+, and v6.17-rc1+. Just make sure to upgrade!
Thanks for the post! This information is super useful.
Happy to help! Always good to stay informed!
Unfortunately, newer kernels like 6.x are still affected. The CAP check issue has been integrated into newer versions, as noted in the CVE details.
That’s a bummer! Guess we need to stay vigilant with updates.
Absolutely! Ignorance isn't bliss when it comes to security.