CVE-2025-8941 is a high-impact local privilege-escalation flaw in the Linux Pluggable Authentication Modules (PAM) framework that specifically resides in the pam_namespace module. Upstream and national databases describe the bug as an improper handling of user-controlled paths that lets a low-privileged local user leverage symlink attacks and race conditions to elevate to root the CVE was opened as a “complete” fix for an earlier, partial patch (CVE-2025-6020).

An attacker places or toggles a symbolic link in a user-writable location while pam_namespace is creating directories, and by winning a timing/race window they can cause privileged directory creation or permission changes under / (or other sensitive locations). Successful timing and scripting can result in directory ownership/permission manipulation and ultimately arbitrary root actions. Detailed writeups and vendor notes show this is a symlink + race-condition class bug tied to how pam_namespace resolves and creates paths.

Affected systems include distributions that shipped the vulnerable linux-pam before the upstream fix (vendors like Red Hat, Ubuntu and others have published advisories and tracking entries), and because the vector is local the primary risk is multi-user servers, shared desktops, CI runners, container hosts, and any environment that grants shell access to untrusted users. Public reporting and news outlets also note a working PoC has been published, which raises the urgency for patching and local hardening. (CVSS scores reported in the ecosystem vary by source as evaluators applied differing base assumptions; treat the issue as high priority regardless.)

Mitigation priorities are straightforward and immediate: apply the upstream/vendor linux-pam patches as soon as your distro provides them; if a patch cannot be applied quickly, consider disabling pam_namespace where feasible, tighten who can log in locally, and audit for suspicious symlink creation and inode/permission changes (auditd, tripwire, or similar file-integrity hooks). Also review and restrict local account access (remove unnecessary shell access, tighten sudoers), monitor for indicators of compromise, and treat systems with untrusted users as higher risk until patched. Vendor advisories and distro trackers remain the authoritative source for patched package versions prioritize those notices and test+deploy fixes in your environment