CVE-2025-38058

__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock

Description

In the Linux kernel, the following vulnerability has been resolved: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock ... or we risk stealing final mntput from sync umount - raising mnt_count after umount(2) has verified that victim is not busy, but before it has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see that it's safe to quietly undo mnt_count increment and leaves dropping the reference to caller, where it'll be a full-blown mntput(). Check under mount_lock is needed; leaving the current one done before taking that makes no sense - it's nowhere near common enough to bother with.

N/A
CVSS
Severity:
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/628fb00195ce21a90cf9e4e3d105cd9e58f77b40
https://git.kernel.org/stable/c/b89eb56a378b7b2c1176787fc228d0a57172bdd5
https://git.kernel.org/stable/c/f6d45fd92f62845cbd1eb5128fd8f0ed7d0c5a42
https://git.kernel.org/stable/c/9b0915e72b3cf52474dcee0b24a2f99d93e604a3
https://git.kernel.org/stable/c/d8ece4ced3b051e656c77180df2e69e19e24edc1
https://git.kernel.org/stable/c/8cafd7266fa02e0863bacbf872fe635c0b9725eb
https://git.kernel.org/stable/c/b55996939c71a3e1a38f3cdc6a8859797efc9083
https://git.kernel.org/stable/c/250cf3693060a5f803c5f1ddc082bb06b16112a9

Frequently Asked Questions

What is the severity of CVE-2025-38058?
CVE-2025-38058 has not yet been assigned a CVSS score.
How to fix CVE-2025-38058?
To fix CVE-2025-38058, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-38058 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-38058 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-38058?
CVE-2025-38058 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.