CVE-2025-21778: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tracing: Do not allow mmap() of persistent ring buffer When trying to mmap a trace instance buffer that is attached to reserve_mem, it would crash: BUG: unable to handle page fault for address: ffffe97bd00025c8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 2862f3067 P4D 2862f3067 PUD 0 Oops: Oops: 0000 [#1] PREEMPT_RT SMP PTI CPU: 4 UID: 0 PID: 981 Comm: mmap-rb Not tainted 6.14.0-rc2-test-00003-g7f1a5e3fbf9e-dirty #233 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:validate_page_before_insert+0x5/0xb0 Code: e2 01 89 d0 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 <48> 8b 46 08 a8 01 75 67 66 90 48 89 f0 8b 50 34 85 d2 74 76 48 89 RSP: 0018:ffffb148c2f3f968 EFLAGS: 00010246 RAX: ffff9fa5d3322000 RBX: ffff9fa5ccff9c08 RCX: 00000000b879ed29 RDX: ffffe97bd00025c0 RSI: ffffe97bd00025c0 RDI: ffff9fa5ccff9c08 RBP: ffffb148c2f3f9f0 R08: 0000000000000004 R09: 0000000000000004 R10: 0000000000000000 R11: 0000000000000200 R12: 0000000000000000 R13: 00007f16a18d5000 R14: ffff9fa5c48db6a8 R15: 0000000000000000 FS: 00007f16a1b54740(0000) GS:ffff9fa73df00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffe97bd00025c8 CR3: 00000001048c6006 CR4: 0000000000172ef0 Call Trace: <TASK> ? __die_body.cold+0x19/0x1f ? __die+0x2e/0x40 ? page_fault_oops+0x157/0x2b0 ? search_module_extables+0x53/0x80 ? validate_page_before_insert+0x5/0xb0 ? kernelmode_fixup_or_oops.isra.0+0x5f/0x70 ? __bad_area_nosemaphore+0x16e/0x1b0 ? bad_area_nosemaphore+0x16/0x20 ? do_kern_addr_fault+0x77/0x90 ? exc_page_fault+0x22b/0x230 ? asm_exc_page_fault+0x2b/0x30 ? validate_page_before_insert+0x5/0xb0 ? vm_insert_pages+0x151/0x400 __rb_map_vma+0x21f/0x3f0 ring_buffer_map+0x21b/0x2f0 tracing_buffers_mmap+0x70/0xd0 __mmap_region+0x6f0/0xbd0 mmap_region+0x7f/0x130 do_mmap+0x475/0x610 vm_mmap_pgoff+0xf2/0x1d0 ksys_mmap_pgoff+0x166/0x200 __x64_sys_mmap+0x37/0x50 x64_sys_call+0x1670/0x1d70 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The reason was that the code that maps the ring buffer pages to user space has: page = virt_to_page((void *)cpu_buffer->subbuf_ids[s]); And uses that in: vm_insert_pages(vma, vma->vm_start, pages, &nr_pages); But virt_to_page() does not work with vmap()'d memory which is what the persistent ring buffer has. It is rather trivial to allow this, but for now just disable mmap() of instances that have their ring buffer from the reserve_mem option. If an mmap() is performed on a persistent buffer it will return -ENODEV just like it would if the .mmap field wasn't defined in the file_operations structure.
AI Analysis
Technical Summary
CVE-2025-21778 is a vulnerability identified in the Linux kernel related to the tracing subsystem's handling of persistent ring buffers. Specifically, the issue arises when attempting to mmap() (memory map) a trace instance buffer that is attached to reserved memory (reserve_mem). The kernel code attempts to convert virtual addresses to page structures using virt_to_page(), but this function does not support memory allocated via vmap(), which is how persistent ring buffers are implemented. This mismatch causes a kernel crash due to a page fault when the mmap() operation is performed on such buffers. The crash manifests as a BUG in validate_page_before_insert(), leading to an unrecoverable kernel oops and system instability. The vulnerability is mitigated in the current patch by disabling mmap() on persistent ring buffers allocated from reserve_mem, returning an error (-ENODEV) instead of crashing. This issue affects Linux kernel versions around 6.14.0-rc2-test and likely other versions using similar tracing and memory management implementations. The root cause is the improper handling of vmap()'d memory in the tracing ring buffer mmap path, which can be exploited unintentionally by triggering an mmap() call on the affected buffers, causing denial of service through kernel crashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations relying on Linux-based systems, especially those using advanced tracing and debugging features or custom kernel builds with reserve_mem configurations, this vulnerability poses a risk of denial of service. A malicious or unprivileged user with the ability to invoke mmap() on tracing buffers could cause kernel crashes, leading to system instability or downtime. This could impact critical infrastructure, cloud services, and enterprise environments where Linux kernels are widely deployed. The inability to mmap persistent ring buffers safely may also hinder debugging and monitoring capabilities, affecting operational visibility. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting kernel panics could disrupt services, impacting availability and potentially leading to data loss or interrupted business processes. Organizations with high availability requirements or those operating in regulated sectors (e.g., finance, healthcare, energy) may face compliance and operational risks if systems are affected.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that disable mmap() on persistent ring buffers allocated from reserve_mem, as provided by the Linux kernel maintainers. 2. Avoid using reserve_mem for tracing ring buffers until a proper fix allowing safe mmap() is implemented. 3. Restrict access to tracing interfaces and mmap operations to trusted users only, minimizing the risk of accidental or malicious triggering of the vulnerability. 4. Monitor kernel logs for oops or BUG messages related to tracing and mmap operations to detect potential exploitation attempts. 5. For environments requiring persistent ring buffer mmap functionality, consider alternative tracing configurations or wait for upstream fixes that properly handle vmap()'d memory. 6. Implement robust kernel crash recovery and system monitoring to reduce downtime in case of exploitation. 7. Engage with Linux distribution vendors for backported patches and security advisories relevant to deployed kernel versions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2025-21778: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Do not allow mmap() of persistent ring buffer When trying to mmap a trace instance buffer that is attached to reserve_mem, it would crash: BUG: unable to handle page fault for address: ffffe97bd00025c8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 2862f3067 P4D 2862f3067 PUD 0 Oops: Oops: 0000 [#1] PREEMPT_RT SMP PTI CPU: 4 UID: 0 PID: 981 Comm: mmap-rb Not tainted 6.14.0-rc2-test-00003-g7f1a5e3fbf9e-dirty #233 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:validate_page_before_insert+0x5/0xb0 Code: e2 01 89 d0 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 <48> 8b 46 08 a8 01 75 67 66 90 48 89 f0 8b 50 34 85 d2 74 76 48 89 RSP: 0018:ffffb148c2f3f968 EFLAGS: 00010246 RAX: ffff9fa5d3322000 RBX: ffff9fa5ccff9c08 RCX: 00000000b879ed29 RDX: ffffe97bd00025c0 RSI: ffffe97bd00025c0 RDI: ffff9fa5ccff9c08 RBP: ffffb148c2f3f9f0 R08: 0000000000000004 R09: 0000000000000004 R10: 0000000000000000 R11: 0000000000000200 R12: 0000000000000000 R13: 00007f16a18d5000 R14: ffff9fa5c48db6a8 R15: 0000000000000000 FS: 00007f16a1b54740(0000) GS:ffff9fa73df00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffe97bd00025c8 CR3: 00000001048c6006 CR4: 0000000000172ef0 Call Trace: <TASK> ? __die_body.cold+0x19/0x1f ? __die+0x2e/0x40 ? page_fault_oops+0x157/0x2b0 ? search_module_extables+0x53/0x80 ? validate_page_before_insert+0x5/0xb0 ? kernelmode_fixup_or_oops.isra.0+0x5f/0x70 ? __bad_area_nosemaphore+0x16e/0x1b0 ? bad_area_nosemaphore+0x16/0x20 ? do_kern_addr_fault+0x77/0x90 ? exc_page_fault+0x22b/0x230 ? asm_exc_page_fault+0x2b/0x30 ? validate_page_before_insert+0x5/0xb0 ? vm_insert_pages+0x151/0x400 __rb_map_vma+0x21f/0x3f0 ring_buffer_map+0x21b/0x2f0 tracing_buffers_mmap+0x70/0xd0 __mmap_region+0x6f0/0xbd0 mmap_region+0x7f/0x130 do_mmap+0x475/0x610 vm_mmap_pgoff+0xf2/0x1d0 ksys_mmap_pgoff+0x166/0x200 __x64_sys_mmap+0x37/0x50 x64_sys_call+0x1670/0x1d70 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The reason was that the code that maps the ring buffer pages to user space has: page = virt_to_page((void *)cpu_buffer->subbuf_ids[s]); And uses that in: vm_insert_pages(vma, vma->vm_start, pages, &nr_pages); But virt_to_page() does not work with vmap()'d memory which is what the persistent ring buffer has. It is rather trivial to allow this, but for now just disable mmap() of instances that have their ring buffer from the reserve_mem option. If an mmap() is performed on a persistent buffer it will return -ENODEV just like it would if the .mmap field wasn't defined in the file_operations structure.
AI-Powered Analysis
Technical Analysis
CVE-2025-21778 is a vulnerability identified in the Linux kernel related to the tracing subsystem's handling of persistent ring buffers. Specifically, the issue arises when attempting to mmap() (memory map) a trace instance buffer that is attached to reserved memory (reserve_mem). The kernel code attempts to convert virtual addresses to page structures using virt_to_page(), but this function does not support memory allocated via vmap(), which is how persistent ring buffers are implemented. This mismatch causes a kernel crash due to a page fault when the mmap() operation is performed on such buffers. The crash manifests as a BUG in validate_page_before_insert(), leading to an unrecoverable kernel oops and system instability. The vulnerability is mitigated in the current patch by disabling mmap() on persistent ring buffers allocated from reserve_mem, returning an error (-ENODEV) instead of crashing. This issue affects Linux kernel versions around 6.14.0-rc2-test and likely other versions using similar tracing and memory management implementations. The root cause is the improper handling of vmap()'d memory in the tracing ring buffer mmap path, which can be exploited unintentionally by triggering an mmap() call on the affected buffers, causing denial of service through kernel crashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations relying on Linux-based systems, especially those using advanced tracing and debugging features or custom kernel builds with reserve_mem configurations, this vulnerability poses a risk of denial of service. A malicious or unprivileged user with the ability to invoke mmap() on tracing buffers could cause kernel crashes, leading to system instability or downtime. This could impact critical infrastructure, cloud services, and enterprise environments where Linux kernels are widely deployed. The inability to mmap persistent ring buffers safely may also hinder debugging and monitoring capabilities, affecting operational visibility. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting kernel panics could disrupt services, impacting availability and potentially leading to data loss or interrupted business processes. Organizations with high availability requirements or those operating in regulated sectors (e.g., finance, healthcare, energy) may face compliance and operational risks if systems are affected.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that disable mmap() on persistent ring buffers allocated from reserve_mem, as provided by the Linux kernel maintainers. 2. Avoid using reserve_mem for tracing ring buffers until a proper fix allowing safe mmap() is implemented. 3. Restrict access to tracing interfaces and mmap operations to trusted users only, minimizing the risk of accidental or malicious triggering of the vulnerability. 4. Monitor kernel logs for oops or BUG messages related to tracing and mmap operations to detect potential exploitation attempts. 5. For environments requiring persistent ring buffer mmap functionality, consider alternative tracing configurations or wait for upstream fixes that properly handle vmap()'d memory. 6. Implement robust kernel crash recovery and system monitoring to reduce downtime in case of exploitation. 7. Engage with Linux distribution vendors for backported patches and security advisories relevant to deployed kernel versions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.763Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe879d
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 8:58:21 AM
Last updated: 8/6/2025, 5:55:54 PM
Views: 16
Related Threats
CVE-2025-43735: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.