CVE-2025-68211 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/74f78421c925b6d17695566f0c5941de57fd44b3
https://git.kernel.org/stable/c/f5548c318d6520d4fa3c5ed6003eeb710763cbc5
https://git.kernel.org/stable/c/f62973e0767e4fcd6799087787fca08ca2a85b8c

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include <unistd.h> #include <stdio.h> #include <sys/mman.h> /* 32 TiB / const size_t size = 32ul 1024 * 1024 * 1024 * 1024; int main() { char area = mmap(NULL, size, PROT_READ \| PROT_WRITE, MAP_NORESERVE \| MAP_PRIVATE \| MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror("mmap() failed\n"); return -1; } / Populate a single page such that we get an anon_vma. / area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.
Title		ksm: use range-walk function to jump over holes in scan_get_next_rmap_item
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/74f78421c925b6d17695566f0c5941de57fd44b3 https://git.kernel.org/stable/c/f5548c318d6520d4fa3c5ed6003eeb710763cbc5 https://git.kernel.org/stable/c/f62973e0767e4fcd6799087787fca08ca2a85b8c

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68211", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-16T13:41:40.256Z", "datePublished": "2025-12-16T13:48:37.959Z", "dateUpdated": "2025-12-16T13:48:37.959Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-16T13:48:37.959Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksm: use range-walk function to jump over holes in scan_get_next_rmap_item\n\nCurrently, scan_get_next_rmap_item() walks every page address in a VMA to\nlocate mergeable pages. This becomes highly inefficient when scanning\nlarge virtual memory areas that contain mostly unmapped regions, causing\nksmd to use large amount of cpu without deduplicating much pages.\n\nThis patch replaces the per-address lookup with a range walk using\nwalk_page_range(). The range walker allows KSM to skip over entire\nunmapped holes in a VMA, avoiding unnecessary lookups. This problem was\npreviously discussed in [1].\n\nConsider the following test program which creates a 32 TiB mapping in the\nvirtual address space but only populates a single page:\n\n#include <unistd.h>\n#include <stdio.h>\n#include <sys/mman.h>\n\n/* 32 TiB */\nconst size_t size = 32ul * 1024 * 1024 * 1024 * 1024;\n\nint main() {\n char *area = mmap(NULL, size, PROT_READ | PROT_WRITE,\n MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0);\n\n if (area == MAP_FAILED) {\n perror(\"mmap() failed\\n\");\n return -1;\n }\n\n /* Populate a single page such that we get an anon_vma. */\n *area = 0;\n\n /* Enable KSM. */\n madvise(area, size, MADV_MERGEABLE);\n pause();\n return 0;\n}\n\n$ ./ksm-sparse &\n$ echo 1 > /sys/kernel/mm/ksm/run \n\nWithout this patch ksmd uses 100% of the cpu for a long time (more then 1\nhour in my test machine) scanning all the 32 TiB virtual address space\nthat contain only one mapped page. This makes ksmd essentially deadlocked\nnot able to deduplicate anything of value. With this patch ksmd walks\nonly the one mapped page and skips the rest of the 32 TiB virtual address\nspace, making the scan fast using little cpu."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/ksm.c"], "versions": [{"version": "31dbd01f314364b70c2e026a5793a29a4da8a9dc", "lessThan": "74f78421c925b6d17695566f0c5941de57fd44b3", "status": "affected", "versionType": "git"}, {"version": "31dbd01f314364b70c2e026a5793a29a4da8a9dc", "lessThan": "f62973e0767e4fcd6799087787fca08ca2a85b8c", "status": "affected", "versionType": "git"}, {"version": "31dbd01f314364b70c2e026a5793a29a4da8a9dc", "lessThan": "f5548c318d6520d4fa3c5ed6003eeb710763cbc5", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/ksm.c"], "versions": [{"version": "2.6.32", "status": "affected"}, {"version": "0", "lessThan": "2.6.32", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.59", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.9", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.12.59"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.17.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/74f78421c925b6d17695566f0c5941de57fd44b3"}, {"url": "https://git.kernel.org/stable/c/f62973e0767e4fcd6799087787fca08ca2a85b8c"}, {"url": "https://git.kernel.org/stable/c/f5548c318d6520d4fa3c5ed6003eeb710763cbc5"}], "title": "ksm: use range-walk function to jump over holes in scan_get_next_rmap_item", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksm: use range-walk function to jump over holes in scan_get_next_rmap_item\n\nCurrently, scan_get_next_rmap_item() walks every page address in a VMA to\nlocate mergeable pages. This becomes highly inefficient when scanning\nlarge virtual memory areas that contain mostly unmapped regions, causing\nksmd to use large amount of cpu without deduplicating much pages.\n\nThis patch replaces the per-address lookup with a range walk using\nwalk_page_range(). The range walker allows KSM to skip over entire\nunmapped holes in a VMA, avoiding unnecessary lookups. This problem was\npreviously discussed in [1].\n\nConsider the following test program which creates a 32 TiB mapping in the\nvirtual address space but only populates a single page:\n\n#include <unistd.h>\n#include <stdio.h>\n#include <sys/mman.h>\n\n/* 32 TiB */\nconst size_t size = 32ul * 1024 * 1024 * 1024 * 1024;\n\nint main() {\n char *area = mmap(NULL, size, PROT_READ | PROT_WRITE,\n MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0);\n\n if (area == MAP_FAILED) {\n perror(\"mmap() failed\\n\");\n return -1;\n }\n\n /* Populate a single page such that we get an anon_vma. */\n *area = 0;\n\n /* Enable KSM. */\n madvise(area, size, MADV_MERGEABLE);\n pause();\n return 0;\n}\n\n$ ./ksm-sparse &\n$ echo 1 > /sys/kernel/mm/ksm/run \n\nWithout this patch ksmd uses 100% of the cpu for a long time (more then 1\nhour in my test machine) scanning all the 32 TiB virtual address space\nthat contain only one mapped page. This makes ksmd essentially deadlocked\nnot able to deduplicate anything of value. With this patch ksmd walks\nonly the one mapped page and skips the rest of the 32 TiB virtual address\nspace, making the scan fast using little cpu."}], "id": "CVE-2025-68211", "lastModified": "2025-12-16T14:15:54.023", "metrics": {}, "published": "2025-12-16T14:15:54.023", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/74f78421c925b6d17695566f0c5941de57fd44b3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f5548c318d6520d4fa3c5ed6003eeb710763cbc5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f62973e0767e4fcd6799087787fca08ca2a85b8c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object