{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38085", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.981Z", "datePublished": "2025-06-28T07:44:26.178Z", "dateUpdated": "2025-06-28T07:44:26.178Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-06-28T07:44:26.178Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race\n\nhuge_pmd_unshare() drops a reference on a page table that may have\npreviously been shared across processes, potentially turning it into a\nnormal page table used in another process in which unrelated VMAs can\nafterwards be installed.\n\nIf this happens in the middle of a concurrent gup_fast(), gup_fast() could\nend up walking the page tables of another process. While I don't see any\nway in which that immediately leads to kernel memory corruption, it is\nreally weird and unexpected.\n\nFix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),\njust like we do in khugepaged when removing page tables for a THP\ncollapse."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/hugetlb.c"], "versions": [{"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa", "lessThan": "952596b08c74e8fe9e2883d1dc8a8f54a37384ec", "status": "affected", "versionType": "git"}, {"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa", "lessThan": "a3d864c901a300c295692d129159fc3001a56185", "status": "affected", "versionType": "git"}, {"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa", "lessThan": "b7754d3aa7bf9f62218d096c0c8f6c13698fac8b", "status": "affected", "versionType": "git"}, {"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa", "lessThan": "fe684290418ef9ef76630072086ee530b92f02b8", "status": "affected", "versionType": "git"}, {"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa", "lessThan": "034a52b5ef57c9c8225d94e9067f3390bb33922f", "status": "affected", "versionType": "git"}, {"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa", "lessThan": "a6bfeb97941a9187833b526bc6cc4ff5706d0ce9", "status": "affected", "versionType": "git"}, {"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa", "lessThan": "1013af4f585fccc4d3e5c5824d174de2257f7d6d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/hugetlb.c"], "versions": [{"version": "2.6.20", "status": "affected"}, {"version": "0", "lessThan": "2.6.20", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.239", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.186", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.142", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.95", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.35", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.4", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "5.10.239"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "5.15.186"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "6.1.142"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "6.6.95"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "6.12.35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "6.15.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "6.16-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec"}, {"url": "https://git.kernel.org/stable/c/a3d864c901a300c295692d129159fc3001a56185"}, {"url": "https://git.kernel.org/stable/c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b"}, {"url": "https://git.kernel.org/stable/c/fe684290418ef9ef76630072086ee530b92f02b8"}, {"url": "https://git.kernel.org/stable/c/034a52b5ef57c9c8225d94e9067f3390bb33922f"}, {"url": "https://git.kernel.org/stable/c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9"}, {"url": "https://git.kernel.org/stable/c/1013af4f585fccc4d3e5c5824d174de2257f7d6d"}], "title": "mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race\n\nhuge_pmd_unshare() drops a reference on a page table that may have\npreviously been shared across processes, potentially turning it into a\nnormal page table used in another process in which unrelated VMAs can\nafterwards be installed.\n\nIf this happens in the middle of a concurrent gup_fast(), gup_fast() could\nend up walking the page tables of another process. While I don't see any\nway in which that immediately leads to kernel memory corruption, it is\nreally weird and unexpected.\n\nFix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),\njust like we do in khugepaged when removing page tables for a THP\ncollapse."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/hugetlb: correcci\u00f3n de huge_pmd_unshare() frente a la competencia GUP-fast. huge_pmd_unshare() elimina una referencia en una tabla de p\u00e1ginas que podr\u00eda haber sido compartida previamente entre procesos, lo que podr\u00eda convertirla en una tabla de p\u00e1ginas normal utilizada por otro proceso en la que posteriormente se podr\u00edan instalar VMAs no relacionadas. Si esto ocurre durante una ejecuci\u00f3n simult\u00e1nea de gup_fast(), gup_fast() podr\u00eda terminar recorriendo las tablas de p\u00e1ginas de otro proceso. Si bien no veo ninguna forma en que esto provoque inmediatamente una corrupci\u00f3n de memoria en el kernel, es realmente extra\u00f1o e inesperado. Corr\u00edjalo con una IPI de difusi\u00f3n expl\u00edcita a trav\u00e9s de tlb_remove_table_sync_one(), tal como hacemos en khugepaged al eliminar tablas de p\u00e1ginas durante un colapso de THP."}], "id": "CVE-2025-38085", "lastModified": "2025-06-30T18:38:23.493", "metrics": {}, "published": "2025-06-28T08:15:24.843", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/034a52b5ef57c9c8225d94e9067f3390bb33922f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1013af4f585fccc4d3e5c5824d174de2257f7d6d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a3d864c901a300c295692d129159fc3001a56185"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fe684290418ef9ef76630072086ee530b92f02b8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race", "id": "2375304", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2375304"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-200", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nmm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race\nhuge_pmd_unshare() drops a reference on a page table that may have\npreviously been shared across processes, potentially turning it into a\nnormal page table used in another process in which unrelated VMAs can\nafterwards be installed.\nIf this happens in the middle of a concurrent gup_fast(), gup_fast() could\nend up walking the page tables of another process. While I don't see any\nway in which that immediately leads to kernel memory corruption, it is\nreally weird and unexpected.\nFix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),\njust like we do in khugepaged when removing page tables for a THP\ncollapse."], "name": "CVE-2025-38085", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38085\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38085\nhttps://lore.kernel.org/linux-cve-announce/2025062836-CVE-2025-38085-8075@gregkh/T"], "threat_severity": "Moderate"}