CVE-2025-38518
BaseFortify
Publication date: 2025-08-16
Last updated on: 2025-11-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the AMD Cyan Skillfish CPU (Family 17h, Model 47h, Stepping 0h) where the CPU incorrectly reports support for the INVLPGB instruction used for TLB flushes. Because the CPU is misconfigured and should not report this feature, using INVLPGB causes system crashes (oopses and panics). The Linux kernel has been updated to disable the INVLPGB flag on affected CPUs to prevent confusion and system instability.
How can this vulnerability impact me? :
If you are using an AMD Cyan Skillfish CPU with the specified model and stepping, this vulnerability can cause your system to crash unexpectedly during certain memory management operations involving TLB flushes. This can lead to system instability and potential data loss due to unexpected panics.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects AMD Cyan Skillfish (Family 17h, Model 47h, Stepping 0h) CPUs running Linux kernels that incorrectly enable the INVLPGB flag. To mitigate this, update your Linux kernel to a version where the INVLPGB flag is disabled for affected CPUs, as the kernel patch removes the flag to prevent system oopses and panics. There are no other specific mitigation steps provided.