CVE-2025-38085

MEDIUM EPSS 1.6%
Published Jun 28, 20251y ago · Modified Jun 17, 20261w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Jun 28, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in which that immediately leads to kernel memory corruption, it is really weird and unexpected. Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(), just like we do in khugepaged when removing page tables for a THP collapse.

CVSS Details

Base Score
4.7
Exploitability
1.0
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-362

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel*≥2.6.20  –  <5.10.239
linuxlinux_kernel*≥5.11  –  <5.15.186
linuxlinux_kernel*≥5.16  –  <6.1.142
linuxlinux_kernel*≥6.2  –  <6.6.95
linuxlinux_kernel*≥6.7  –  <6.12.35
linuxlinux_kernel*≥6.13  –  <6.15.4
debiandebian_linux11.0any

References 10

  • git.kernel.org https://git.kernel.org/stable/c/034a52b5ef57c9c8225d94e9067f3390bb33922f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1013af4f585fccc4d3e5c5824d174de2257f7d6d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a3d864c901a300c295692d129159fc3001a56185
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fe684290418ef9ef76630072086ee530b92f02b8
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
    Third Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
    Third Party Advisory
  • project-zero.issues.chromium.org https://project-zero.issues.chromium.org/issues/420715744
    Third Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/034a52b5ef57c9c8225d94e9067f3390bb33922f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1013af4f585fccc4d3e5c5824d174de2257f7d6d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a3d864c901a300c295692d129159fc3001a56185
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fe684290418ef9ef76630072086ee530b92f02b8
    Patch