Date: 2026-01-06 Updated: 2026-02-11
HIGH risk vulnerability affecting RHEL-9, RHEL-10, derivatives and other distributions, concerning clone_private_mnt(). [R 1]
EGI SVG ID : EGI-SVG-2026-01
CVE ID : CVE-2025-38499
CVSS Score : 7.8 [R 1]
Affected sites are recommended to update relevant components as soon as possible using information in the references below.
No mitigation is available [R 1]
Other security issues were fixed at the same time as this [R 8] [R 9].
RHEL-8 and derivatives are not affected.
TLP:CLEAR information - Unlimited distribution
https://advisories.egi.eu/Advisory-EGI-SVG-2026-01
https://advisories.egi.eu/Advisory-SVG-CVE-2025-38499
Minor updates may be made without re-distribution to the sites.
This advisory is subject to the Creative Commons licence
https://creativecommons.org/licenses/by/4.0/ and
the EGI (https://www.egi.eu/) Software Vulnerability Group
must be credited. -----
Comments or questions should be sent to svg-rat at mailman.egi.eu
Vulnerabilities relevant for EGI can be reported at report-vulnerability at egi.eu
(see [R 99] for further details, and other information on SVG)
[R 4] https://security-tracker.debian.org/tracker/CVE-2025-38499
[R 6] https://errata.build.resf.org/ (RockyLinux)
[R 7] https://errata.almalinux.org/ (AlmaLinux)
[R 8] https://access.redhat.com/errata/RHSA-2025:23241 (RHEL9)
[R 9] https://access.redhat.com/errata/RHSA-2025:23279 (RHEL10)
[R 99] https://confluence.egi.eu/display/EGIBG/SVG+Advisories
SVG was alerted to this vulnerability by Mischa Salle.