CVE-2025-39961

MEDIUM EPSS 1.0%
Published Oct 9, 20258mo ago · Modified Jun 17, 20261w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Oct 9, 2025 8mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path.

CVSS Details

Base Score
4.7
Exploitability
1.0
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-362

Affected Products 15

VendorProductVersionRange
linuxlinux_kernel*≥4.9.194  –  <4.10
linuxlinux_kernel*≥4.14.146  –  <4.15
linuxlinux_kernel*≥4.19.75  –  <4.20
linuxlinux_kernel*≥5.2.17  –  <5.3
linuxlinux_kernel*≥5.3.1  –  <6.6.108
linuxlinux_kernel*≥6.7  –  <6.12.49
linuxlinux_kernel*≥6.13  –  <6.16.9
linuxlinux_kernel5.3any
linuxlinux_kernel5.3any
linuxlinux_kernel6.17any
linuxlinux_kernel6.17any
linuxlinux_kernel6.17any
linuxlinux_kernel6.17any
linuxlinux_kernel6.17any
linuxlinux_kernel6.17any

References 4

  • git.kernel.org https://git.kernel.org/stable/c/075abf0b1a958acfbea2435003d228e738e90346
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1e56310b40fd2e7e0b9493da9ff488af145bdd0c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7d462bdecb7d9c32934dab44aaeb7ea7d73a27a2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cd92c8ab336c3a633d46e6f35ebcd3509ae7db3b
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/075abf0b1a958acfbea2435003d228e738e90346
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1e56310b40fd2e7e0b9493da9ff488af145bdd0c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7d462bdecb7d9c32934dab44aaeb7ea7d73a27a2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cd92c8ab336c3a633d46e6f35ebcd3509ae7db3b
    Patch