CVE-2025-38085
Published: Jun 28, 2025
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in which that immediately leads to kernel memory corruption, it is really weird and unexpected. Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(), just like we do in khugepaged when removing page tables for a THP collapse.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa - < 952596b08c74e8fe9e2883d1dc8a8f54a37384ecaffected 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa - < a3d864c901a300c295692d129159fc3001a56185affected 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa - < b7754d3aa7bf9f62218d096c0c8f6c13698fac8baffected 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa - < fe684290418ef9ef76630072086ee530b92f02b8affected 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa - < 034a52b5ef57c9c8225d94e9067f3390bb33922f+2 more versions |
Linux | Linux | affected 2.6.20unaffected 0 - < 2.6.20unaffected 5.10.239 - <= 5.10.*unaffected 5.15.186 - <= 5.15.*unaffected 6.1.142 - <= 6.1.*+4 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now