{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38563", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.025Z", "datePublished": "2025-08-19T17:02:40.249Z", "dateUpdated": "2025-08-19T17:02:40.249Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-08-19T17:02:40.249Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Prevent VMA split of buffer mappings\n\nThe perf mmap code is careful about mmap()'ing the user page with the\nringbuffer and additionally the auxiliary buffer, when the event supports\nit. Once the first mapping is established, subsequent mapping have to use\nthe same offset and the same size in both cases. The reference counting for\nthe ringbuffer and the auxiliary buffer depends on this being correct.\n\nThough perf does not prevent that a related mapping is split via mmap(2),\nmunmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls,\nwhich take reference counts, but then the subsequent perf_mmap_close()\ncalls are not longer fulfilling the offset and size checks. This leads to\nreference count leaks.\n\nAs perf already has the requirement for subsequent mappings to match the\ninitial mapping, the obvious consequence is that VMA splits, caused by\nresizing of a mapping or partial unmapping, have to be prevented.\n\nImplement the vm_operations_struct::may_split() callback and return\nunconditionally -EINVAL.\n\nThat ensures that the mapping offsets and sizes cannot be changed after the\nfact. Remapping to a different fixed address with the same size is still\npossible as it takes the references for the new mapping and drops those of\nthe old mapping."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff", "lessThan": "7b84cb58d1f0aa07656802eae24689566e5f5b1b", "status": "affected", "versionType": "git"}, {"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff", "lessThan": "6757a31a8e295ae4f01717a954afda173f25a121", "status": "affected", "versionType": "git"}, {"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff", "lessThan": "e529888b7e8092912dd8789bdfc76685ccd2ff5f", "status": "affected", "versionType": "git"}, {"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff", "lessThan": "ff668930871e0198c7f4e325058b8b7c286787bd", "status": "affected", "versionType": "git"}, {"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff", "lessThan": "65311aad4c808bedad0c05d9bb8b06c47dae73eb", "status": "affected", "versionType": "git"}, {"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff", "lessThan": "b024d7b56c77191cde544f838debb7f8451cd0d6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "4.1", "status": "affected"}, {"version": "0", "lessThan": "4.1", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.148", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.102", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.42", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.10", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.1", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1", "versionEndExcluding": "6.1.148"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1", "versionEndExcluding": "6.6.102"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1", "versionEndExcluding": "6.12.42"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1", "versionEndExcluding": "6.15.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1", "versionEndExcluding": "6.16.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1", "versionEndExcluding": "6.17-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7b84cb58d1f0aa07656802eae24689566e5f5b1b"}, {"url": "https://git.kernel.org/stable/c/6757a31a8e295ae4f01717a954afda173f25a121"}, {"url": "https://git.kernel.org/stable/c/e529888b7e8092912dd8789bdfc76685ccd2ff5f"}, {"url": "https://git.kernel.org/stable/c/ff668930871e0198c7f4e325058b8b7c286787bd"}, {"url": "https://git.kernel.org/stable/c/65311aad4c808bedad0c05d9bb8b06c47dae73eb"}, {"url": "https://git.kernel.org/stable/c/b024d7b56c77191cde544f838debb7f8451cd0d6"}], "title": "perf/core: Prevent VMA split of buffer mappings", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Prevent VMA split of buffer mappings\n\nThe perf mmap code is careful about mmap()'ing the user page with the\nringbuffer and additionally the auxiliary buffer, when the event supports\nit. Once the first mapping is established, subsequent mapping have to use\nthe same offset and the same size in both cases. The reference counting for\nthe ringbuffer and the auxiliary buffer depends on this being correct.\n\nThough perf does not prevent that a related mapping is split via mmap(2),\nmunmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls,\nwhich take reference counts, but then the subsequent perf_mmap_close()\ncalls are not longer fulfilling the offset and size checks. This leads to\nreference count leaks.\n\nAs perf already has the requirement for subsequent mappings to match the\ninitial mapping, the obvious consequence is that VMA splits, caused by\nresizing of a mapping or partial unmapping, have to be prevented.\n\nImplement the vm_operations_struct::may_split() callback and return\nunconditionally -EINVAL.\n\nThat ensures that the mapping offsets and sizes cannot be changed after the\nfact. Remapping to a different fixed address with the same size is still\npossible as it takes the references for the new mapping and drops those of\nthe old mapping."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf/core: Prevenir la divisi\u00f3n de VMA de las asignaciones de b\u00fafer El c\u00f3digo perf mmap es cuidadoso al realizar mmap() en la p\u00e1gina de usuario con el b\u00fafer de anillo y, adicionalmente, el b\u00fafer auxiliar, cuando el evento lo admite. Una vez que se establece la primera asignaci\u00f3n, las asignaciones posteriores deben usar el mismo desplazamiento y el mismo tama\u00f1o en ambos casos. El recuento de referencias para el b\u00fafer de anillo y el b\u00fafer auxiliar depende de que esto sea correcto. Aunque perf no impide que una asignaci\u00f3n relacionada se divida mediante mmap(2), munmap(2) o mremap(2). Una divisi\u00f3n de una VMA da como resultado llamadas a perf_mmap_open(), que toman recuentos de referencias, pero luego las llamadas perf_mmap_close() posteriores ya no cumplen con las comprobaciones de desplazamiento y tama\u00f1o. Esto conduce a fugas de recuento de referencias. Como perf ya tiene el requisito de que las asignaciones posteriores coincidan con la asignaci\u00f3n inicial, la consecuencia obvia es que se deben evitar las divisiones de VMA, causadas por el cambio de tama\u00f1o de una asignaci\u00f3n o la desasignaci\u00f3n parcial. Implemente la funci\u00f3n de retorno vm_operations_struct::may_split() y devuelva incondicionalmente -EINVAL. Esto garantiza que los desplazamientos y tama\u00f1os de la asignaci\u00f3n no se puedan modificar posteriormente. La reasignaci\u00f3n a una direcci\u00f3n fija diferente con el mismo tama\u00f1o sigue siendo posible, ya que toma las referencias de la nueva asignaci\u00f3n y descarta las de la asignaci\u00f3n anterior."}], "id": "CVE-2025-38563", "lastModified": "2025-08-20T14:40:17.713", "metrics": {}, "published": "2025-08-19T17:15:32.790", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/65311aad4c808bedad0c05d9bb8b06c47dae73eb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6757a31a8e295ae4f01717a954afda173f25a121"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7b84cb58d1f0aa07656802eae24689566e5f5b1b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b024d7b56c77191cde544f838debb7f8451cd0d6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e529888b7e8092912dd8789bdfc76685ccd2ff5f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ff668930871e0198c7f4e325058b8b7c286787bd"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: perf/core: Prevent VMA split of buffer mappings", "id": "2389478", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2389478"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-38563", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38563\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38563\nhttps://lore.kernel.org/linux-cve-announce/2025081907-CVE-2025-38563-81e4@gregkh/T"], "threat_severity": "Moderate"}