CVE-2025-38256
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-09

Last updated on: 2025-11-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: fix folio unpinning syzbot complains about an unmapping failure: [ 108.070381][ T14] kernel BUG at mm/gup.c:71! [ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 108.123672][ T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025 [ 108.127458][ T14] Workqueue: iou_exit io_ring_exit_work [ 108.174205][ T14] Call trace: [ 108.175649][ T14] sanity_check_pinned_pages+0x7cc/0x7d0 (P) [ 108.178138][ T14] unpin_user_page+0x80/0x10c [ 108.180189][ T14] io_release_ubuf+0x84/0xf8 [ 108.182196][ T14] io_free_rsrc_node+0x250/0x57c [ 108.184345][ T14] io_rsrc_data_free+0x148/0x298 [ 108.186493][ T14] io_sqe_buffers_unregister+0x84/0xa0 [ 108.188991][ T14] io_ring_ctx_free+0x48/0x480 [ 108.191057][ T14] io_ring_exit_work+0x764/0x7d8 [ 108.193207][ T14] process_one_work+0x7e8/0x155c [ 108.195431][ T14] worker_thread+0x958/0xed8 [ 108.197561][ T14] kthread+0x5fc/0x75c [ 108.199362][ T14] ret_from_fork+0x10/0x20 We can pin a tail page of a folio, but then io_uring will try to unpin the head page of the folio. While it should be fine in terms of keeping the page actually alive, mm folks say it's wrong and triggers a debug warning. Use unpin_user_folio() instead of unpin_user_page*. [axboe: adapt to current tree, massage commit message]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-09
Last Modified
2025-11-19
Generated
2026-05-07
AI Q&A
2025-07-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38256
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the Linux kernel's io_uring subsystem improperly unpinning pages of memory. Specifically, it pins a tail page of a folio but then tries to unpin the head page, which is incorrect and triggers a debug warning or kernel bug. The fix involves using the correct function to unpin the entire folio rather than individual pages, preventing internal errors and kernel crashes.


How can this vulnerability impact me? :

This vulnerability can cause kernel bugs and internal errors, potentially leading to system instability or crashes when using io_uring. This could affect the reliability and availability of systems running vulnerable Linux kernels.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the system logs for kernel BUG messages related to io_uring and folio unpinning failures. Specifically, look for messages similar to: 'kernel BUG at mm/gup.c:71!' or 'Internal error: Oops - BUG: ...' involving io_uring workqueue and unpin_user_page calls. You can use the command 'dmesg | grep -i "kernel BUG"' or 'journalctl -k | grep -i "io_uring"' to find such errors in the kernel logs.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation is to update the Linux kernel to a version where the vulnerability is fixed by using unpin_user_folio() instead of unpin_user_page* in the io_uring resource handling code. Until an update is applied, monitoring for the described kernel BUG messages and avoiding workloads that trigger io_uring folio unpinning can reduce exposure.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart