CVE-2025-40040
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-28

Last updated on: 2026-02-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/ksm: fix flag-dropping behavior in ksm_madvise syzkaller discovered the following crash: (kernel BUG) [ 44.607039] ------------[ cut here ]------------ [ 44.607422] kernel BUG at mm/userfaultfd.c:2067! [ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) [ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460 <snip other registers, drop unreliable trace> [ 44.617726] Call Trace: [ 44.617926] <TASK> [ 44.619284] userfaultfd_release+0xef/0x1b0 [ 44.620976] __fput+0x3f9/0xb60 [ 44.621240] fput_close_sync+0x110/0x210 [ 44.622222] __x64_sys_close+0x8f/0x120 [ 44.622530] do_syscall_64+0x5b/0x2f0 [ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 44.623244] RIP: 0033:0x7f365bb3f227 Kernel panics because it detects UFFD inconsistency during userfaultfd_release_all(). Specifically, a VMA which has a valid pointer to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags. The inconsistency is caused in ksm_madvise(): when user calls madvise() with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode, it accidentally clears all flags stored in the upper 32 bits of vma->vm_flags. Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and int are 32-bit wide. This setup causes the following mishap during the &= ~VM_MERGEABLE assignment. VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then promoted to unsigned long before the & operation. This promotion fills upper 32 bits with leading 0s, as we're doing unsigned conversion (and even for a signed conversion, this wouldn't help as the leading bit is 0). & operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears the upper 32-bits of its value. Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the BIT() macro. Note: other VM_* flags are not affected: This only happens to the VM_MERGEABLE flag, as the other VM_* flags are all constants of type int and after ~ operation, they end up with leading 1 and are thus converted to unsigned long with leading 1s. Note 2: After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is no longer a kernel BUG, but a WARNING at the same place: [ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067 but the root-cause (flag-drop) remains the same. [[email protected]: rust bindgen wasn't able to handle BIT(), from Miguel]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-28
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2025-10-28
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40040
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.17.3 (exc)
linux linux_kernel From 4.6 (inc) to 5.4.302 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.197 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.158 (exc)
linux linux_kernel From 5.5 (inc) to 5.10.247 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.114 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.55 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a flaw in the Linux kernel's memory management subsystem (ksm_madvise) where a specific flag (VM_MERGEABLE) is incorrectly cleared due to a type mismatch during a bitwise operation. When a user calls madvise() with MADV_UNMERGEABLE on a virtual memory area (VMA) registered for userfaultfd (UFFD) in MINOR mode, the upper 32 bits of the vm_flags field are accidentally cleared. This causes an inconsistency detected during userfaultfd_release_all(), leading to a kernel crash (BUG) or warning. The root cause is that VM_MERGEABLE is defined as a 32-bit unsigned int, and the bitwise negation and AND operation do not preserve the upper 32 bits of the 64-bit vm_flags field, resulting in flag loss.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash or panic when it detects an inconsistency in userfaultfd flags during memory management operations. Specifically, it can lead to kernel BUGs or warnings, which may result in system instability, unexpected reboots, or denial of service. Systems using userfaultfd with memory areas marked with MADV_UNMERGEABLE in MINOR mode are particularly affected.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a kernel BUG or WARNING related to userfaultfd_release_all() in the Linux kernel logs. Detection involves monitoring kernel logs for messages like 'kernel BUG at mm/userfaultfd.c:2067' or 'WARNING: CPU: ... at mm/userfaultfd.c:2067'. You can use commands such as 'dmesg | grep userfaultfd' or 'journalctl -k | grep userfaultfd' to detect these messages. There are no specific network detection commands since this is a kernel memory management issue.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves updating the Linux kernel to a version that includes the fix for the flag-dropping behavior in ksm_madvise, which corrects the handling of VM_MERGEABLE flags. Until the kernel is updated, avoid using madvise() with MADV_UNMERGEABLE on VMAs registered for userfaultfd in MINOR mode to prevent triggering the issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart