CVE-2025-38434
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-25

Last updated on: 2025-11-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" This reverts commit ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for __access_ok()"). This commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(), because the previous TASK_SIZE_MAX (default to TASK_SIZE) requires some computation. The reasoning was that all user addresses are less than LONG_MAX, and all kernel addresses are greater than LONG_MAX. Therefore access_ok() can filter kernel addresses. Addresses between TASK_SIZE and LONG_MAX are not valid user addresses, but access_ok() let them pass. That was thought to be okay, because they are not valid addresses at hardware level. Unfortunately, one case is missed: get_user_pages_fast() happily accepts addresses between TASK_SIZE and LONG_MAX. futex(), for instance, uses get_user_pages_fast(). This causes the problem reported by Robert [1]. Therefore, revert this commit. TASK_SIZE_MAX is changed to the default: TASK_SIZE. This unfortunately reduces performance, because TASK_SIZE is more expensive to compute compared to LONG_MAX. But correctness first, we can think about optimization later, if required.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-25
Last Modified
2025-11-19
Generated
2026-05-07
AI Q&A
2025-07-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38434
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves a change in the Linux kernel where TASK_SIZE_MAX was set to LONG_MAX to optimize the access_ok() function. The assumption was that all user addresses are less than LONG_MAX and kernel addresses are greater, so access_ok() would filter kernel addresses correctly. However, addresses between TASK_SIZE and LONG_MAX, which are not valid user addresses, were incorrectly allowed by access_ok(). This caused issues because functions like get_user_pages_fast() accepted these invalid addresses, potentially leading to incorrect behavior or security problems. The fix was to revert the change and set TASK_SIZE_MAX back to TASK_SIZE to ensure correctness, even though it reduces performance.


How can this vulnerability impact me? :

The vulnerability can lead to improper validation of memory addresses in the Linux kernel, allowing certain invalid addresses to be accepted by functions like get_user_pages_fast(). This could result in security issues such as unauthorized access to kernel memory or instability in kernel operations that rely on correct address validation.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is mitigated by reverting the commit that changed TASK_SIZE_MAX to LONG_MAX back to TASK_SIZE. Therefore, the immediate step is to update your Linux kernel to a version where this revert has been applied, ensuring TASK_SIZE_MAX is set to TASK_SIZE. This may involve applying the patch that reverts commit ad5643cf2f69 or upgrading to a kernel version released after 2025-07-25 that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart