{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39992", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.150Z", "datePublished": "2025-10-15T07:58:17.927Z", "dateUpdated": "2025-10-15T07:58:17.927Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-15T07:58:17.927Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: check for stable address space before operating on the VMA\n\nIt is possible to hit a zero entry while traversing the vmas in unuse_mm()\ncalled from swapoff path and accessing it causes the OOPS:\n\nUnable to handle kernel NULL pointer dereference at virtual address\n0000000000000446--> Loading the memory from offset 0x40 on the\nXA_ZERO_ENTRY as address.\nMem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\n\nThe issue is manifested from the below race between the fork() on a\nprocess and swapoff:\nfork(dup_mmap())\t\t\tswapoff(unuse_mm)\n--------------- -----------------\n1) Identical mtree is built using\n __mt_dup().\n\n2) copy_pte_range()-->\n\tcopy_nonpresent_pte():\n The dst mm is added into the\n mmlist to be visible to the\n swapoff operation.\n\n3) Fatal signal is sent to the parent\nprocess(which is the current during the\nfork) thus skip the duplication of the\nvmas and mark the vma range with\nXA_ZERO_ENTRY as a marker for this process\nthat helps during exit_mmap().\n\n\t\t\t\t 4) swapoff is tried on the\n\t\t\t\t\t'mm' added to the 'mmlist' as\n\t\t\t\t\tpart of the 2.\n\n\t\t\t\t 5) unuse_mm(), that iterates\n\t\t\t\t\tthrough the vma's of this 'mm'\n\t\t\t\t\twill hit the non-NULL zero entry\n\t\t\t\t\tand operating on this zero entry\n\t\t\t\t\tas a vma is resulting into the\n\t\t\t\t\toops.\n\nThe proper fix would be around not exposing this partially-valid tree to\nothers when droping the mmap lock, which is being solved with [1]. A\nsimpler solution would be checking for MMF_UNSTABLE, as it is set if\nmm_struct is not fully initialized in dup_mmap().\n\nThanks to Liam/Lorenzo/David for all the suggestions in fixing this\nissue."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/swapfile.c"], "versions": [{"version": "d2406291483775ecddaee929231a39c70c08fda2", "lessThan": "4e5f060d7347466f77aaff1c0d5a6c4f1fb217ac", "status": "affected", "versionType": "git"}, {"version": "d2406291483775ecddaee929231a39c70c08fda2", "lessThan": "9cddad3b26dac830407d2d3c0de5205ff6d6dda0", "status": "affected", "versionType": "git"}, {"version": "d2406291483775ecddaee929231a39c70c08fda2", "lessThan": "e4e99d69b8b8295c501b2eef89e13306b738b667", "status": "affected", "versionType": "git"}, {"version": "d2406291483775ecddaee929231a39c70c08fda2", "lessThan": "1367da7eb875d01102d2ed18654b24d261ff5393", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/swapfile.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.51", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.11", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.1", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12.51"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.16.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.17.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.18-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4e5f060d7347466f77aaff1c0d5a6c4f1fb217ac"}, {"url": "https://git.kernel.org/stable/c/9cddad3b26dac830407d2d3c0de5205ff6d6dda0"}, {"url": "https://git.kernel.org/stable/c/e4e99d69b8b8295c501b2eef89e13306b738b667"}, {"url": "https://git.kernel.org/stable/c/1367da7eb875d01102d2ed18654b24d261ff5393"}], "title": "mm: swap: check for stable address space before operating on the VMA", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: check for stable address space before operating on the VMA\n\nIt is possible to hit a zero entry while traversing the vmas in unuse_mm()\ncalled from swapoff path and accessing it causes the OOPS:\n\nUnable to handle kernel NULL pointer dereference at virtual address\n0000000000000446--> Loading the memory from offset 0x40 on the\nXA_ZERO_ENTRY as address.\nMem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\n\nThe issue is manifested from the below race between the fork() on a\nprocess and swapoff:\nfork(dup_mmap())\t\t\tswapoff(unuse_mm)\n--------------- -----------------\n1) Identical mtree is built using\n __mt_dup().\n\n2) copy_pte_range()-->\n\tcopy_nonpresent_pte():\n The dst mm is added into the\n mmlist to be visible to the\n swapoff operation.\n\n3) Fatal signal is sent to the parent\nprocess(which is the current during the\nfork) thus skip the duplication of the\nvmas and mark the vma range with\nXA_ZERO_ENTRY as a marker for this process\nthat helps during exit_mmap().\n\n\t\t\t\t 4) swapoff is tried on the\n\t\t\t\t\t'mm' added to the 'mmlist' as\n\t\t\t\t\tpart of the 2.\n\n\t\t\t\t 5) unuse_mm(), that iterates\n\t\t\t\t\tthrough the vma's of this 'mm'\n\t\t\t\t\twill hit the non-NULL zero entry\n\t\t\t\t\tand operating on this zero entry\n\t\t\t\t\tas a vma is resulting into the\n\t\t\t\t\toops.\n\nThe proper fix would be around not exposing this partially-valid tree to\nothers when droping the mmap lock, which is being solved with [1]. A\nsimpler solution would be checking for MMF_UNSTABLE, as it is set if\nmm_struct is not fully initialized in dup_mmap().\n\nThanks to Liam/Lorenzo/David for all the suggestions in fixing this\nissue."}], "id": "CVE-2025-39992", "lastModified": "2025-10-15T08:15:37.317", "metrics": {}, "published": "2025-10-15T08:15:37.317", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1367da7eb875d01102d2ed18654b24d261ff5393"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4e5f060d7347466f77aaff1c0d5a6c4f1fb217ac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9cddad3b26dac830407d2d3c0de5205ff6d6dda0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e4e99d69b8b8295c501b2eef89e13306b738b667"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}