CVE-2025-38681
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-04

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful. But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems. To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables. Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios. Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-04
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-09-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38681
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.1.153-1
linux linux_kernel 5.10.244-1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves a race condition in the Linux kernel's ptdump code, which is responsible for dumping kernel page tables. When intermediate levels of kernel page tables are freed during memory hot removal, the ptdump code may continue to use memory that has been freed and possibly reallocated for other purposes. This can cause the code to dereference invalid addresses, potentially leading to various problems. The issue arises because the ptdump code does not properly take the memory hotplug lock during these operations, allowing concurrent modifications to cause inconsistent or stale data to be logged or invalid memory accesses.


How can this vulnerability impact me? :

The vulnerability can lead to the ptdump code dereferencing invalid or freed memory addresses, which may cause system instability, crashes, or other unpredictable behavior in the Linux kernel. Although some race conditions only result in stale or inconsistent information being logged, the more severe case of using freed memory can cause more serious issues affecting system reliability and security.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix where the memory hotplug lock is taken inside ptdump_walk_pgd() and ptdump_check_wx(). This prevents race conditions during kernel page table dumping and checking. Avoid using the /sys/kernel/debug/kernel_page_tables interface on affected platforms until the kernel is updated.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart