CVE-2025-8941

🗓️ 13 Aug 2025 14:42:37Reported by redhatType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 59 Views

CVE-2025-8941: linux-pam pam_namespace flaw allows local users to escalate to root via symlinks and race conditions; fix CVE-2025-6020.

Reporter	Title	Published	Views	Family All 115
IBM Security Bulletins	Security Bulletin: Vulnerabilities in pam library (CVE-2025-6020, CVE-2025-8941) affect Power HMC.	19 Nov 202508:44	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images	25 Sep 202506:49	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities have been identified with the DS8900F and DS8A00 Hardware Management Console (HMC)	3 Mar 202600:44	–	ibm
IBM Security Bulletins	Security Bulletin:Vulnerability in pam affects IBM Netezza Appliance	14 Jan 202609:36	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Instana Observability has addressed Multiple Vulnerabilities within Instana Agent container image	18 Sep 202507:50	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in linux-pam affects IBM Netezza Appliance	16 Dec 202510:05	–	ibm
Tenable Nessus	Amazon Linux 2023 : pam, pam-devel (ALAS2023-2025-1257)	11 Nov 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2 : pam, --advisory ALAS2-2025-3057 (ALAS-2025-3057)	11 Nov 202500:00	–	nessus
Tenable Nessus	AlmaLinux 8 : pam (ALSA-2025:14557)	4 Sep 202500:00	–	nessus
Tenable Nessus	AlmaLinux 9 : pam (ALSA-2025:15099)	3 Sep 202500:00	–	nessus

[
  {
    "packageName": "linux-pam",
    "collectionURL": "https://github.com/linux-pam/linux-pam",
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.1.8-23.el7_9.2",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/o:redhat:rhel_els:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.3.1-38.el8_10",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:8::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.3.1-8.el8_2.2",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/o:redhat:rhel_aus:8.2::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.3.1-14.el8_4.2",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos",
      "cpe:/o:redhat:rhel_aus:8.4::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.3.1-14.el8_4.2",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos",
      "cpe:/o:redhat:rhel_aus:8.4::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.3.1-16.el8_6.3",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/o:redhat:rhel_e4s:8.6::baseos",
      "cpe:/o:redhat:rhel_tus:8.6::baseos",
      "cpe:/o:redhat:rhel_aus:8.6::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.3.1-16.el8_6.3",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/o:redhat:rhel_e4s:8.6::baseos",
      "cpe:/o:redhat:rhel_tus:8.6::baseos",
      "cpe:/o:redhat:rhel_aus:8.6::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.3.1-16.el8_6.3",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/o:redhat:rhel_e4s:8.6::baseos",
      "cpe:/o:redhat:rhel_tus:8.6::baseos",
      "cpe:/o:redhat:rhel_aus:8.6::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.3.1-26.el8_8.2",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/o:redhat:rhel_e4s:8.8::baseos",
      "cpe:/o:redhat:rhel_tus:8.8::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.3.1-26.el8_8.2",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/o:redhat:rhel_e4s:8.8::baseos",
      "cpe:/o:redhat:rhel_tus:8.8::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.5.1-26.el9_6",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:enterprise_linux:9::appstream",
      "cpe:/o:redhat:enterprise_linux:9::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.5.1-26.el9_6",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:enterprise_linux:9::appstream",
      "cpe:/o:redhat:enterprise_linux:9::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.5.1-9.el9_0.3",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:rhel_e4s:9.0::appstream",
      "cpe:/o:redhat:rhel_e4s:9.0::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.5.1-15.el9_2.2",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:rhel_e4s:9.2::appstream",
      "cpe:/o:redhat:rhel_e4s:9.2::baseos"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pam",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:1.5.1-24.el9_4.1",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/o:redhat:rhel_eus:9.4::baseos",
      "cpe:/a:redhat:rhel_eus:9.4::appstream"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Web Terminal 1.11 on RHEL 9",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "web-terminal/web-terminal-rhel9-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "1.11-19",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:webterminal:1.11::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Web Terminal 1.11 on RHEL 9",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "web-terminal/web-terminal-tooling-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "1.11-8",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:webterminal:1.11::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Web Terminal 1.12 on RHEL 9",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "web-terminal/web-terminal-tooling-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "1.12-4",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:webterminal:1.12::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "cert-manager operator for Red Hat OpenShift 1.16",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "cert-manager/jetstack-cert-manager-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:cert_manager:1.16::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Compliance Operator 1",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "compliance/openshift-compliance-openscap-rhel8",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openshift_compliance_operator:1::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Discovery 2",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "discovery/discovery-server-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "sha256:c85cfbcaf7888885e57596b7b8bde3894718cfc33326499b24961a66a62cf083",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:discovery:2::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Insights proxy 1.5",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "insights-proxy/insights-proxy-container-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "sha256:4ca38b33efec0d2dd17a8fd822a7c18281810676ceabb0c1db90953cb91cd5ea",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:insights_proxy:1.5::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift sandboxed containers 1.1",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "sha256:24722900db1425bf0c27f6ad6f3fb7d79ff9ebc433bdab58423fa71bab76122b",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:confidential_compute_attestation:1.10::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift sandboxed containers 1.1",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift-sandboxed-containers/osc-monitor-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "sha256:f5e1602d72177d77f1b879c76e6f6cfbc2979c136c06ca9f03ea97ffb369b7a6",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:confidential_compute_attestation:1.10::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift sandboxed containers 1.1",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift-sandboxed-containers/osc-podvm-builder-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "sha256:cead623ceda4048cabaa81c371ed2a8143f5c5514276fca1d71685bd9e6d1e65",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:confidential_compute_attestation:1.10::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift sandboxed containers 1.1",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift-sandboxed-containers/osc-podvm-payload-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "sha256:59fb1f7f1653361d94f7d48b42d8fe19ed3263c1c78654837c11f2135544c1ac",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:confidential_compute_attestation:1.10::el9"
    ]
  }
]

Source	Link
access	www.access.redhat.com/errata/RHSA-2025:21885
access	www.access.redhat.com/security/cve/CVE-2025-8941
access	www.access.redhat.com/errata/RHSA-2025:15107
access	www.access.redhat.com/errata/RHSA-2025:16524
access	www.access.redhat.com/errata/RHSA-2025:15099
access	www.access.redhat.com/errata/RHSA-2025:15103
access	www.access.redhat.com/errata/RHSA-2025:15102
access	www.access.redhat.com/errata/RHSA-2025:15100
access	www.access.redhat.com/errata/RHSA-2025:14557
access	www.access.redhat.com/errata/RHSA-2025:15101

15 Apr 2026 00:35Current

6.8Medium risk

Vulners AI Score6.8

CVSS 3.17.8

EPSS0.00022

SSVC

CWE-22

linux pam; pam namespace; local users; symlink attacks; race conditions; privilege escalation