CVE-2025-39992
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm: swap: check for stable address space before operating on the VMA It is possible to hit a zero entry while traversing the vmas in unuse_mm() called from swapoff path and accessing it causes the OOPS: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000446--> Loading the memory from offset 0x40 on the XA_ZERO_ENTRY as address. Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault The issue is manifested from the below race between the fork() on a process and swapoff: fork(dup_mmap()) swapoff(unuse_mm) --------------- ----------------- 1) Identical mtree is built using __mt_dup(). 2) copy_pte_range()--> copy_nonpresent_pte(): The dst mm is added into the mmlist to be visible to the swapoff operation. 3) Fatal signal is sent to the parent process(which is the current during the fork) thus skip the duplication of the vmas and mark the vma range with XA_ZERO_ENTRY as a marker for this process that helps during exit_mmap(). 4) swapoff is tried on the 'mm' added to the 'mmlist' as part of the 2. 5) unuse_mm(), that iterates through the vma's of this 'mm' will hit the non-NULL zero entry and operating on this zero entry as a vma is resulting into the oops. The proper fix would be around not exposing this partially-valid tree to others when droping the mmap lock, which is being solved with [1]. A simpler solution would be checking for MMF_UNSTABLE, as it is set if mm_struct is not fully initialized in dup_mmap(). Thanks to Liam/Lorenzo/David for all the suggestions in fixing this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-16
Generated
2026-05-07
AI Q&A
2025-10-15
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39992
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's memory management subsystem during a race condition between the fork() system call and the swapoff operation. Specifically, when duplicating a process's memory map (dup_mmap) during fork, a partially initialized memory map can be exposed to the swapoff operation. This leads to unuse_mm() encountering a zero entry marker (XA_ZERO_ENTRY) in the virtual memory areas (vmas) list, which it mistakenly treats as a valid vma. Accessing this zero entry causes a kernel NULL pointer dereference and results in a kernel crash (OOPS). The root cause is the exposure of a partially valid memory map before it is fully initialized.


How can this vulnerability impact me? :

This vulnerability can cause a kernel crash (OOPS) due to a NULL pointer dereference in the Linux kernel. This can lead to system instability, unexpected reboots, or denial of service conditions on affected systems, potentially disrupting normal operations.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by ensuring that the kernel checks for a stable address space before operating on the VMA during swapoff. Immediate mitigation would involve updating the Linux kernel to a version that includes the fix for this issue, which involves checking the MMF_UNSTABLE flag in dup_mmap() to avoid exposing partially-initialized mm_structs. Until an update is applied, avoid operations that trigger swapoff concurrently with fork() to reduce the risk of hitting this race condition.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart