CVE-2025-22045

MEDIUM EPSS 7.3%
Published Apr 16, 20251y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 16, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs On the following path, flush_tlb_range() can be used for zapping normal PMD entries (PMD entries that point to page tables) together with the PTE entries in the pointed-to page table: collapse_pte_mapped_thp pmdp_collapse_flush flush_tlb_range The arm64 version of flush_tlb_range() has a comment describing that it can be used for page table removal, and does not use any last-level invalidation optimizations. Fix the X86 version by making it behave the same way. Currently, X86 only uses this information for the following two purposes, which I think means the issue doesn't have much impact: - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be IPI'd to avoid issues with speculative page table walks. - In Hyper-V TLB paravirtualization, again for lazy TLB stuff. The patch "x86/mm: only invalidate final translations with INVLPGB" which is currently under review (see <https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>) would probably be making the impact of this a lot worse.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
7.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥4.20  –  <5.4.292
linuxlinux_kernel*≥5.5  –  <5.10.236
linuxlinux_kernel*≥5.11  –  <5.15.180
linuxlinux_kernel*≥5.16  –  <6.1.134
linuxlinux_kernel*≥6.2  –  <6.6.87
linuxlinux_kernel*≥6.7  –  <6.12.23
linuxlinux_kernel*≥6.13  –  <6.13.11
linuxlinux_kernel*≥6.14  –  <6.14.2

References 11

  • git.kernel.org https://git.kernel.org/stable/c/0708fd6bd8161871bfbadced2ca4319b84ab44fe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/0a8f806ea6b5dd64b3d1f05ff774817d5f7ddbd1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/320ac1af4c0bdb92c864dc9250d1329234820edf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3ef938c3503563bfc2ac15083557f880d29c2e64
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/556d446068f90981e5d71ca686bdaccdd545d491
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/618d5612ecb7bfc1c85342daafeb2b47e29e77a3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7085895c59e4057ffae17f58990ccb630087d0d2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78d6f9a9eb2a5da6fcbd76d6191d24b0dcc321be
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/93224deb50a8d20df3884f3672ce9f982129aa50
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0708fd6bd8161871bfbadced2ca4319b84ab44fe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/0a8f806ea6b5dd64b3d1f05ff774817d5f7ddbd1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/320ac1af4c0bdb92c864dc9250d1329234820edf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3ef938c3503563bfc2ac15083557f880d29c2e64
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/556d446068f90981e5d71ca686bdaccdd545d491
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/618d5612ecb7bfc1c85342daafeb2b47e29e77a3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7085895c59e4057ffae17f58990ccb630087d0d2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78d6f9a9eb2a5da6fcbd76d6191d24b0dcc321be
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/93224deb50a8d20df3884f3672ce9f982129aa50
    Patch