CVE-2025-40006
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-20

Last updated on: 2025-10-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix folio is still mapped when deleted Migration may be raced with fallocating hole. remove_inode_single_folio will unmap the folio if the folio is still mapped. However, it's called without folio lock. If the folio is migrated and the mapped pte has been converted to migration entry, folio_mapped() returns false, and won't unmap it. Due to extra refcount held by remove_inode_single_folio, migration fails, restores migration entry to normal pte, and the folio is mapped again. As a result, we triggered BUG in filemap_unaccount_folio. The log is as follows: BUG: Bad page cache in process hugetlb pfn:156c00 page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00 head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0 aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file" flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: f4(hugetlb) page dumped because: still mapped when deleted CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x4f/0x70 filemap_unaccount_folio+0xc4/0x1c0 __filemap_remove_folio+0x38/0x1c0 filemap_remove_folio+0x41/0xd0 remove_inode_hugepages+0x142/0x250 hugetlbfs_fallocate+0x471/0x5a0 vfs_fallocate+0x149/0x380 Hold folio lock before checking if the folio is mapped to avold race with migration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-20
Last Modified
2025-10-21
Generated
2026-05-07
AI Q&A
2025-10-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40006
EUVD
EUVD-2025-35074
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.17.0-rc5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel involves a race condition during memory migration of huge pages. Specifically, when a folio (a group of pages) is being deleted, it may still be mapped due to a race between migration and fallocating a hole. The function remove_inode_single_folio attempts to unmap the folio but does so without holding the folio lock, which can cause it to miss that the folio is still mapped if the page table entry has been converted to a migration entry. This leads to an extra reference count being held, migration failing, and eventually triggering a kernel BUG due to a bad page cache state.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to hit a BUG condition, potentially leading to system instability or crashes when handling huge pages. It affects the memory management subsystem, which could disrupt applications relying on huge pages for performance, and may cause unexpected behavior or downtime.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the system logs for the specific BUG message related to the hugetlb page cache issue. Look for log entries containing 'BUG: Bad page cache in process hugetlb' and details about 'page dumped because: still mapped when deleted'. You can use commands like 'dmesg | grep -i hugetlb' or 'journalctl -k | grep -i hugetlb' to find such messages in the kernel logs.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves updating the Linux kernel to a version where this vulnerability is fixed, as the issue is resolved by holding the folio lock before checking if the folio is mapped to avoid race conditions during migration. Until an update is applied, monitoring for the BUG messages and avoiding workloads that heavily use hugetlb page migration may reduce exposure.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart