CVE-2025-38498 fix permission checks for mount propagation change (!7292) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

JIRA: https://issues.redhat.com/browse/RHEL-107304
CVE: CVE-2025-38498

An inconsistent application of capabilities checking was discovered in the kernel.

An initial patch was proposed and merged but regressions were reported. An additional patch was posted that makes this permission checking consistent over the two areas it's used and eliminates the regression.

The risk was that the reported regression would almost certainly have serious affects for our container products (at the least) so we needed to wait for this second patch.

It's still possible this change will introduce a regression because it adds a capability check. But this check is to ensure the process making the propagation type change has the appropriate capability to do so and that should be the case.

Signed-off-by: Ian Kent ikent@redhat.com

Edited Sep 08, 2025 by Ian Kent

CVE-2025-38498 fix permission checks for mount propagation change

Merge request reports