GHSA-VMX6-H5GH-R675

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-01-09 00:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()

Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful.

But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems.

To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables.

Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios.

Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths.

Severity ?
4.7 (Medium)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38681"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T16:15:35Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()\n\nMemory hot remove unmaps and tears down various kernel page table regions\nas required.  The ptdump code can race with concurrent modifications of\nthe kernel page tables.  When leaf entries are modified concurrently, the\ndump code may log stale or inconsistent information for a VA range, but\nthis is otherwise not harmful.\n\nBut when intermediate levels of kernel page table are freed, the dump code\nwill continue to use memory that has been freed and potentially\nreallocated for another purpose.  In such cases, the ptdump code may\ndereference bogus addresses, leading to a number of potential problems.\n\nTo avoid the above mentioned race condition, platforms such as arm64,\nriscv and s390 take memory hotplug lock, while dumping kernel page table\nvia the sysfs interface /sys/kernel/debug/kernel_page_tables.\n\nSimilar race condition exists while checking for pages that might have\nbeen marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages\nwhich in turn calls ptdump_check_wx().  Instead of solving this race\ncondition again, let\u0027s just move the memory hotplug lock inside generic\nptdump_check_wx() which will benefit both the scenarios.\n\nDrop get_online_mems() and put_online_mems() combination from all existing\nplatform ptdump code paths.",
  "id": "GHSA-vmx6-h5gh-r675",
  "modified": "2026-01-09T00:30:27Z",
  "published": "2025-09-05T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38681"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1636b5e9c3543b87d673e32a47e7c18698882425"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ee9a8c27bfd72c3f465004fa8455785d61be5e8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/59305202c67fea50378dcad0cc199dbc13a0e99a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/67995d4244694928ce701928e530b5b4adeb17b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/69bea84b06b5e779627e7afdbf4b60a7d231c76f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac25ec5fa2bf6e606dc7954488e4dded272fa9cd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca8c414499f2e5337a95a76be0d21b728ee31c6b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ff40839e018b82c4d756d035f34a63aa2d93be83"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.