{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38564", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.025Z", "datePublished": "2025-08-19T17:02:40.942Z", "dateUpdated": "2025-08-19T17:02:40.942Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-08-19T17:02:40.942Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Handle buffer mapping fail correctly in perf_mmap()\n\nAfter successful allocation of a buffer or a successful attachment to an\nexisting buffer perf_mmap() tries to map the buffer read only into the page\ntable. If that fails, the already set up page table entries are zapped, but\nthe other perf specific side effects of that failure are not handled. The\ncalling code just cleans up the VMA and does not invoke perf_mmap_close().\n\nThis leaks reference counts, corrupts user->vm accounting and also results\nin an unbalanced invocation of event::event_mapped().\n\nCure this by moving the event::event_mapped() invocation before the\nmap_range() call so that on map_range() failure perf_mmap_close() can be\ninvoked without causing an unbalanced event::event_unmapped() call.\n\nperf_mmap_close() undoes the reference counts and eventually frees buffers."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "b709eb872e19a19607bbb6d2975bc264d59735cf", "lessThan": "831e1c90a5d72e6977a57c44f47c46b73a438695", "status": "affected", "versionType": "git"}, {"version": "b709eb872e19a19607bbb6d2975bc264d59735cf", "lessThan": "a9025f73c88d9d6e125743a43afc569da3ce5328", "status": "affected", "versionType": "git"}, {"version": "b709eb872e19a19607bbb6d2975bc264d59735cf", "lessThan": "f74b9f4ba63ffdf597aaaa6cad7e284cb8e04820", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.10", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.1", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.15.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.16.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.17-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/831e1c90a5d72e6977a57c44f47c46b73a438695"}, {"url": "https://git.kernel.org/stable/c/a9025f73c88d9d6e125743a43afc569da3ce5328"}, {"url": "https://git.kernel.org/stable/c/f74b9f4ba63ffdf597aaaa6cad7e284cb8e04820"}], "title": "perf/core: Handle buffer mapping fail correctly in perf_mmap()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Handle buffer mapping fail correctly in perf_mmap()\n\nAfter successful allocation of a buffer or a successful attachment to an\nexisting buffer perf_mmap() tries to map the buffer read only into the page\ntable. If that fails, the already set up page table entries are zapped, but\nthe other perf specific side effects of that failure are not handled. The\ncalling code just cleans up the VMA and does not invoke perf_mmap_close().\n\nThis leaks reference counts, corrupts user->vm accounting and also results\nin an unbalanced invocation of event::event_mapped().\n\nCure this by moving the event::event_mapped() invocation before the\nmap_range() call so that on map_range() failure perf_mmap_close() can be\ninvoked without causing an unbalanced event::event_unmapped() call.\n\nperf_mmap_close() undoes the reference counts and eventually frees buffers."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf/core: Manejar el error de mapeo de b\u00fafer correctamente en perf_mmap() Despu\u00e9s de la asignaci\u00f3n exitosa de un b\u00fafer o una conexi\u00f3n exitosa a un b\u00fafer existente, perf_mmap() intenta mapear el b\u00fafer de solo lectura en la tabla de p\u00e1ginas. Si eso falla, las entradas de la tabla de p\u00e1ginas ya configuradas se eliminan, pero los otros efectos secundarios espec\u00edficos de perf de ese fallo no se manejan. El c\u00f3digo de llamada simplemente limpia el VMA y no invoca perf_mmap_close(). Esto filtra los recuentos de referencia, corrompe la contabilidad de usuario->vm y tambi\u00e9n resulta en una invocaci\u00f3n desequilibrada de event::event_mapped(). Solucione esto moviendo la invocaci\u00f3n de event::event_mapped() antes de la llamada a map_range() para que en el fallo de map_range() se pueda invocar perf_mmap_close() sin causar una llamada desequilibrada a event::event_unmapped(). perf_mmap_close() deshace los recuentos de referencia y eventualmente libera los b\u00faferes."}], "id": "CVE-2025-38564", "lastModified": "2025-08-20T14:40:17.713", "metrics": {}, "published": "2025-08-19T17:15:32.933", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/831e1c90a5d72e6977a57c44f47c46b73a438695"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a9025f73c88d9d6e125743a43afc569da3ce5328"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f74b9f4ba63ffdf597aaaa6cad7e284cb8e04820"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: perf/core: Handle buffer mapping fail correctly in perf_mmap()", "id": "2389459", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2389459"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-38564", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38564\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38564\nhttps://lore.kernel.org/linux-cve-announce/2025081908-CVE-2025-38564-efa3@gregkh/T"], "threat_severity": "Low"}