CVE-2025-38085

Published Jun 28, 2025

Last updated 2 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-38085 affects the Linux kernel and stems from a race condition within the `mm/hugetlb` subsystem, specifically concerning the `hugepmdunshare()` function's interaction with GUP-fast operations. The vulnerability occurs when `hugepmdunshare()` drops a reference on a page table that may have been previously shared across processes. This can potentially transform it into a normal page table used in another process where unrelated VMAs can be installed. If the above scenario happens during a concurrent `gupfast()` operation, `gupfast()` could end up walking the page tables of another process. While this does not immediately lead to kernel memory corruption, it introduces unexpected behavior in page table management that could potentially affect system stability and security. The suggested fix involves implementing an explicit broadcast IPI through `tlbremovetablesyncone()`, similar to the approach used in `khugepaged` when removing page tables for a THP collapse.

Description
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in which that immediately leads to kernel memory corruption, it is really weird and unexpected. Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(), just like we do in khugepaged when removing page tables for a THP collapse.
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Awaiting Analysis

Social media

Hype score
Not currently trending

  1. (CVE-2025-38084, CVE-2025-38085)[mm/hugetlb]hugetlb page table sharing races with VMA splitting -> page table UAF https://t.co/YPwb3TZ3TX https://t.co/tZa2EyZUO7 https://t.co/blzX9U00JT Reported by Jann Horn(@tehjh )

    @xvonfers

    28 Jul 2025

    2696 Impressions

    8 Retweets

    42 Likes

    20 Bookmarks

    2 Replies

    0 Quotes

  2. CVE-2025-38085 In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a pa… https://t.co/6kXky9Q39t

    @CVEnew

    28 Jun 2025

    532 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.