Re: Status update for CVE-2025-8941 in pam (Bookworm and Trixie)

Mon, 23 Feb 2026 10:45:59 -0800 

Hi,

On Mon, Feb 23, 2026 at 01:19:41PM -0300, Benjamín León Dubos wrote:
> Hello,
> 
> I am writing on behalf of the CyberResponse initiative to report a status
> update for *CVE-2025-8941* regarding the pam package.
> 
> After performing a manual triage on the source code for both Stable
> (Bookworm) and Testing (Trixie), we have verified that the vulnerability is
> already addressed in the current repository versions.
> 
> Evidence: The logic fix in modules/pam_namespace/pam_namespace.c within the
> ns_setup function is present as follows:
> 
> Debian 12 (Bookworm) - pam 1.5.2-6: Verified at line 1889.
> 
> Debian 13 (Trixie) - pam 1.7.0-5: Verified at line 1889.
> 
> Verified code: if (errno != ENOENT || !(polyptr->flags & POLYDIR_CREATE))
> 
> This check correctly prevents the insecure failure path described in the
> CVE by ensuring that the process halts if the directory does not exist and
> the creation flag is absent.
> 
> We suggest updating the Security Tracker status to fixed for these releases.

We are still waiting to hear from Red Hat if CVE-2025-8941 is
considered a Red Hat specific incomplete fix or if it was in some
extend affecting as well others. So this is reflected in the status
for CVE-2025-8941 in the security-tracker on purpose with:

CVE-2025-8941 (A flaw was found in linux-pam. The pam_namespace module may 
improperly ...)
        - pam <undetermined>
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2388220#c1
        TODO: check likely RedHat specific incomplete fix for CVE-2025-6020, 
but asked to pinpoint incomplete fixes

Note that for CVE-2025-6020:

CVE-2025-6020 (A flaw was found in linux-pam. The module pam_namespace may use 
access ...)
        {DLA-4306-1}
        [experimental] - pam 1.7.0-4
        - pam 1.7.0-5 (bug #1107919)
        [bookworm] - pam 1.5.2-6+deb12u2
        NOTE: https://www.openwall.com/lists/oss-security/2025/06/17/1
        NOTE: 
https://github.com/linux-pam/linux-pam/security/advisories/GHSA-f9p8-gjr4-j9gx
        NOTE: Fixed by: 
https://github.com/linux-pam/linux-pam/commit/475bd60c552b98c7eddb3270b0b4196847c0072e
 (v1.7.1)
        NOTE: Fixed by: 
https://github.com/linux-pam/linux-pam/commit/592d84e1265d04c3104acee815a503856db503a1
 (v1.7.1)
        NOTE: Fixed by: 
https://github.com/linux-pam/linux-pam/commit/976c20079358d133514568fc7fd95c02df8b5773
 (v1.7.1)

There is evidence that CVE-2025-8941 that is Red Hat specific, but
still we do not have an official confirmation.

Regards,
Salvatore

Reply via email to