CVE-2025-38563
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-19

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: perf/core: Prevent VMA split of buffer mappings The perf mmap code is careful about mmap()'ing the user page with the ringbuffer and additionally the auxiliary buffer, when the event supports it. Once the first mapping is established, subsequent mapping have to use the same offset and the same size in both cases. The reference counting for the ringbuffer and the auxiliary buffer depends on this being correct. Though perf does not prevent that a related mapping is split via mmap(2), munmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls, which take reference counts, but then the subsequent perf_mmap_close() calls are not longer fulfilling the offset and size checks. This leads to reference count leaks. As perf already has the requirement for subsequent mappings to match the initial mapping, the obvious consequence is that VMA splits, caused by resizing of a mapping or partial unmapping, have to be prevented. Implement the vm_operations_struct::may_split() callback and return unconditionally -EINVAL. That ensures that the mapping offsets and sizes cannot be changed after the fact. Remapping to a different fixed address with the same size is still possible as it takes the references for the new mapping and drops those of the old mapping.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-19
Last Modified
2025-11-03
Generated
2026-05-06
AI Q&A
2025-08-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38563
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.10.244
linux linux_kernel 6.1.153
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's perf subsystem involves improper handling of virtual memory area (VMA) splits in buffer mappings. The perf mmap code requires that subsequent memory mappings use the same offset and size as the initial mapping to maintain correct reference counting for ringbuffer and auxiliary buffers. However, VMA splits caused by operations like mmap, munmap, or mremap can lead to reference count leaks because the checks on offset and size are bypassed during perf_mmap_close calls. The fix prevents VMA splits by implementing a callback that disallows splitting, ensuring mapping offsets and sizes remain consistent.


How can this vulnerability impact me? :

This vulnerability can lead to reference count leaks in the perf subsystem of the Linux kernel. Such leaks may cause resource management issues, potentially leading to increased memory usage or instability in systems relying on perf for performance monitoring. Over time, this could degrade system performance or cause unexpected behavior due to improper handling of buffer mappings.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the perf/core vulnerability has been fixed. The fix involves implementing the vm_operations_struct::may_split() callback to prevent VMA splits by returning -EINVAL, ensuring mapping offsets and sizes cannot be changed after the fact. Avoid resizing or partially unmapping perf mmap buffers until the patch is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart