### [CVE-2025-38396](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-38396)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=2bfe15c5261212130f1a71f32a300bcf426443d4%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=6.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)

### Description

In the Linux kernel, the following vulnerability has been resolved:fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypassExport anon_inode_make_secure_inode() to allow KVM guest_memfd to createanonymous inodes with proper security context. This replaces the currentpattern of calling alloc_anon_inode() followed byinode_init_security_anon() for creating security context manually.This change also fixes a security regression in secretmem where theS_PRIVATE flag was not cleared after alloc_anon_inode(), causingLSM/SELinux checks to be bypassed for secretmem file descriptors.As guest_memfd currently resides in the KVM module, we need to export thissymbol for use outside the core kernel. In the future, guest_memfd might bemoved to core-mm, at which point the symbols no longer would have to beexported. When/if that happens is still unclear.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/w4zu/Debian_security