CVE-2025-39961
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-09

Last updated on: 2026-02-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-09
Last Modified
2026-02-26
Generated
2026-05-06
AI Q&A
2025-10-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39961
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.3
linux linux_kernel 6.17
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves a race condition in the AMD IOMMU host page table implementation in the Linux kernel. The driver supports dynamic page table levels that can increase from 3 up to 6 levels based on address space needs. During the unmap operation, a function fetch_pte() reads page table root and mode values without proper locking. In rare cases, when the page table level is being increased concurrently, fetch_pte() may read inconsistent values (new root but old mode), causing it to fail to find the correct page table entry. This leads to unmap operations failing and potential warnings or retries in upper layers. The fix involves using a sequence counter (seqcount) to allow lock-free but consistent reads during these operations.


How can this vulnerability impact me? :

This vulnerability can cause failures in unmapping IOMMU page tables, which may lead to failed unmap operations and repeated retries or warnings in the system. While it does not directly cause data corruption or security breaches, it can affect system stability and performance, especially in workloads relying heavily on AMD IOMMU for device memory management.


What immediate steps should I take to mitigate this vulnerability?

Apply the Linux kernel update that includes the fix for the AMD IOMMU host page table race condition. The fix involves implementing seqcount to enable lock-free read operations on the read path, preventing the race condition during page table level updates.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart