{"id":"CVE-2025-38396","summary":"fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass\n\nExport anon_inode_make_secure_inode() to allow KVM guest_memfd to create\nanonymous inodes with proper security context. This replaces the current\npattern of calling alloc_anon_inode() followed by\ninode_init_security_anon() for creating security context manually.\n\nThis change also fixes a security regression in secretmem where the\nS_PRIVATE flag was not cleared after alloc_anon_inode(), causing\nLSM/SELinux checks to be bypassed for secretmem file descriptors.\n\nAs guest_memfd currently resides in the KVM module, we need to export this\nsymbol for use outside the core kernel. In the future, guest_memfd might be\nmoved to core-mm, at which point the symbols no longer would have to be\nexported. When/if that happens is still unclear.","modified":"2026-04-16T00:03:27.991980287Z","published":"2025-07-25T12:53:40.761Z","related":["ALSA-2025:16904","ALSA-2025:20518","SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:03636-1","SUSE-SU-2025:03638-1","SUSE-SU-2025:03646-1","SUSE-SU-2025:03650-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:20873-1","SUSE-SU-2025:20874-1","SUSE-SU-2025:20875-1","SUSE-SU-2025:20876-1","SUSE-SU-2025:20877-1","SUSE-SU-2025:20878-1","SUSE-SU-2025:20879-1","SUSE-SU-2025:20881-1","SUSE-SU-2025:20882-1","SUSE-SU-2025:20883-1","SUSE-SU-2025:20884-1","SUSE-SU-2025:20885-1","SUSE-SU-2025:20886-1","SUSE-SU-2025:20887-1","SUSE-SU-2025:20888-1","SUSE-SU-2025:20890-1","SUSE-SU-2025:20891-1","SUSE-SU-2025:20902-1","SUSE-SU-2025:20903-1","SUSE-SU-2025:20904-1","SUSE-SU-2025:20905-1","SUSE-SU-2025:20906-1","SUSE-SU-2025:20907-1","SUSE-SU-2025:20909-1","SUSE-SU-2025:20912-1","SUSE-SU-2025:20913-1","SUSE-SU-2025:20914-1","SUSE-SU-2025:20915-1","SUSE-SU-2025:20916-1","SUSE-SU-2025:20917-1","SUSE-SU-2025:20918-1","SUSE-SU-2025:20920-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3742-1","SUSE-SU-2025:3748-1","SUSE-SU-2025:3755-1","SUSE-SU-2025:3762-1","SUSE-SU-2025:3764-1","SUSE-SU-2025:3765-1","SUSE-SU-2025:3768-1","SUSE-SU-2025:3771-1","SUSE-SU-2025:3772-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38396.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/66d29d757c968d2bee9124816da5d718eb352959"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6ca45ea48530332a4ba09595767bd26d3232743b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cbe4134ea4bc493239786220bd69cb8a13493190"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e3eed01347721cd7a8819568161c91d538fbf229"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f94c422157f3e43dd31990567b3e5d54b3e5b32b"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38396.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38396"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2bfe15c5261212130f1a71f32a300bcf426443d4"},{"fixed":"66d29d757c968d2bee9124816da5d718eb352959"},{"fixed":"e3eed01347721cd7a8819568161c91d538fbf229"},{"fixed":"f94c422157f3e43dd31990567b3e5d54b3e5b32b"},{"fixed":"6ca45ea48530332a4ba09595767bd26d3232743b"},{"fixed":"cbe4134ea4bc493239786220bd69cb8a13493190"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38396.json"}}],"schema_version":"1.7.5"}