CVE-2025-40199
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-11-14

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches Helge reported that the introduction of PP_MAGIC_MASK let to crashes on boot on his 32-bit parisc machine. The cause of this is the mask is set too wide, so the page_pool_page_is_pp() incurs false positives which crashes the machine. Just disabling the check in page_pool_is_pp() will lead to the page_pool code itself malfunctioning; so instead of doing this, this patch changes the define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernel pointers for page_pool-tagged pages. The fix relies on the kernel pointers that alias with the pp_magic field always being above PAGE_OFFSET. With this assumption, we can use the lowest bit of the value of PAGE_OFFSET as the upper bound of the PP_DMA_INDEX_MASK, which should avoid the false positives. Because we cannot rely on PAGE_OFFSET always being a compile-time constant, nor on it always being >0, we fall back to disabling the dma_index storage when there are not enough bits available. This leaves us in the situation we were in before the patch in the Fixes tag, but only on a subset of architecture configurations. This seems to be the best we can do until the transition to page types in complete for page_pool pages. v2: - Make sure there's at least 8 bits available and that the PAGE_OFFSET bit calculation doesn't wrap
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-11-14
Generated
2026-05-07
AI Q&A
2025-11-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40199
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is in the Linux kernel's page_pool code, specifically related to the PP_MAGIC_MASK definition. On some 32-bit architectures, the mask was set too wide, causing false positives in the page_pool_page_is_pp() check, which leads to system crashes during boot. The issue arises because arbitrary kernel pointers can be mistaken for page_pool-tagged pages. The fix adjusts the mask to avoid these false positives by relying on kernel pointers being above PAGE_OFFSET and modifying the PP_DMA_INDEX_MASK accordingly. If this is not possible due to architecture constraints, the dma_index storage is disabled to prevent crashes.


How can this vulnerability impact me? :

This vulnerability can cause system crashes on boot for affected 32-bit architectures, leading to system instability or failure to start properly. It affects the kernel's memory management subsystem, which could disrupt normal operation and availability of the system.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by a patch that fixes the PP_MAGIC_MASK definition in the Linux kernel to avoid crashes on some 32-bit architectures. Immediate mitigation involves applying the updated kernel patch that corrects the PP_DMA_INDEX_BITS mask as described. Disabling the check in page_pool_is_pp() is not recommended as it causes malfunction. Therefore, update your Linux kernel to the fixed version that includes this patch.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart