Login Sign Up

CVE-2025-8941

7.8 HIGH

📋 TL;DR

This vulnerability in the linux-pam pam_namespace module allows local users to exploit symlink attacks and race conditions to elevate their privileges to root. It affects systems using PAM with the pam_namespace module configured. This CVE provides a complete fix for the previously disclosed CVE-2025-6020.

💻 Affected Systems

Products:
  • linux-pam
  • pam_namespace module
Versions: Versions prior to the fix for CVE-2025-6020
Operating Systems: Linux distributions using PAM with pam_namespace
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if pam_namespace module is configured and used in PAM configuration files.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root privileges, enabling complete system compromise, data theft, and persistence establishment.

🟠

Likely Case

Local user with shell access escalates to root, gaining unauthorized administrative control over the system.

🟢

If Mitigated

Attack fails due to proper access controls, SELinux/apparmor restrictions, or lack of pam_namespace usage.

🌐 Internet-Facing: LOW - This requires local access to the system, not directly exploitable over network.
🏢 Internal Only: HIGH - Any local user with shell access could potentially exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and knowledge of symlink/race condition exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check specific distribution updates (e.g., Red Hat advisories RHSA-2025:14557, RHSA-2025:15099, etc.)

Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:14557

Restart Required: No

Instructions:

1. Update linux-pam package using your distribution's package manager. 2. For RHEL: 'yum update linux-pam'. 3. For Debian/Ubuntu: 'apt update && apt upgrade linux-pam'. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable pam_namespace module

linux

Remove or comment out pam_namespace lines in PAM configuration files

# Edit /etc/pam.d/* files and remove 'pam_namespace.so' lines
# Backup configs first: cp /etc/pam.d/system-auth /etc/pam.d/system-auth.backup

Restrict user namespace creation

linux

Limit ability to create user namespaces which may reduce attack surface

sysctl -w kernel.unprivileged_userns_clone=0
# Add to /etc/sysctl.conf: kernel.unprivileged_userns_clone=0

🧯 If You Can't Patch

  • Implement strict access controls to limit local user accounts
  • Use SELinux or AppArmor to restrict pam_namespace module capabilities

🔍 How to Verify

Check if Vulnerable:

Check if pam_namespace is configured: grep -r 'pam_namespace.so' /etc/pam.d/

Check Version:

rpm -q linux-pam  # RHEL/CentOS/Fedora or dpkg -l | grep linux-pam  # Debian/Ubuntu

Verify Fix Applied:

Check linux-pam version against patched version for your distribution

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation attempts in auth logs
  • Multiple failed then successful authentication attempts from same user

Network Indicators:

  • None - local exploit only

SIEM Query:

source="auth.log" AND ("pam_namespace" OR "privilege escalation")

📊 Metadata

CVE ID: CVE-2025-8941
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
EPSS Score: 0.01% exploit probability (1.6th percentile)
Published: August 13, 2025
Last Updated: November 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8941, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)