CVE-2025-21881: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: uprobes: Reject the shared zeropage in uprobe_write_opcode() We triggered the following crash in syzkaller tests: BUG: Bad page state in process syz.7.38 pfn:1eff3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3 flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff) raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x32/0x50 bad_page+0x69/0xf0 free_unref_page_prepare+0x401/0x500 free_unref_page+0x6d/0x1b0 uprobe_write_opcode+0x460/0x8e0 install_breakpoint.part.0+0x51/0x80 register_for_each_vma+0x1d9/0x2b0 __uprobe_register+0x245/0x300 bpf_uprobe_multi_link_attach+0x29b/0x4f0 link_create+0x1e2/0x280 __sys_bpf+0x75f/0xac0 __x64_sys_bpf+0x1a/0x30 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1 The following syzkaller test case can be used to reproduce: r2 = creat(&(0x7f0000000000)='./file0\x00', 0x8) write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10) r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x42, 0x0) mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0) r5 = userfaultfd(0x80801) ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20}) r6 = userfaultfd(0x80801) ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140)) ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2}) ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}}) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000120000000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40) The cause is that zero pfn is set to the PTE without increasing the RSS count in mfill_atomic_pte_zeropage() and the refcount of zero folio does not increase accordingly. Then, the operation on the same pfn is performed in uprobe_write_opcode()->__replace_page() to unconditional decrease the RSS count and old_folio's refcount. Therefore, two bugs are introduced: 1. The RSS count is incorrect, when process exit, the check_mm() report error "Bad rss-count". 2. The reserved folio (zero folio) is freed when folio->refcount is zero, then free_pages_prepare->free_page_is_bad() report error "Bad page state". There is more, the following warning could also theoretically be triggered: __replace_page() -> ... -> folio_remove_rmap_pte() -> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio) Considering that uprobe hit on the zero folio is a very rare case, just reject zero old folio immediately after get_user_page_vma_remote(). [ mingo: Cleaned up the changelog ]
AI Analysis
Technical Summary
CVE-2025-21881 is a vulnerability in the Linux kernel related to the uprobe subsystem, specifically in the function uprobe_write_opcode(). The issue arises from improper handling of the shared zero page (zero folio) during memory page reference counting. The vulnerability was discovered through syzkaller fuzz testing, which triggered kernel crashes due to bad page states and incorrect RSS (resident set size) counters. The root cause is that when a zero page frame number (pfn) is set in the page table entry (PTE) without incrementing the RSS count in mfill_atomic_pte_zeropage(), the zero folio's reference count is not increased accordingly. Subsequently, uprobe_write_opcode() calls __replace_page(), which unconditionally decrements the RSS count and the old folio's reference count. This leads to two critical bugs: (1) an incorrect RSS count causing "Bad rss-count" errors during process exit, and (2) premature freeing of the reserved zero folio when its reference count reaches zero, causing "Bad page state" errors. Additionally, a rare warning related to zero folio detection in __replace_page() could be triggered. The vulnerability is triggered when uprobe hits the zero folio, which is a rare case, but the fix involves rejecting zero old folios immediately after get_user_page_vma_remote() to prevent these errors. The vulnerability affects Linux kernel versions identified by the given commit hashes and was publicly disclosed on March 27, 2025. No known exploits are currently reported in the wild. This vulnerability impacts kernel stability and memory management integrity, potentially leading to system crashes or denial of service (DoS) conditions when exploited.
Potential Impact
For European organizations, the impact of CVE-2025-21881 primarily involves system stability and availability risks. Since the vulnerability can cause kernel crashes and memory corruption, affected Linux systems may experience unexpected reboots or denial of service, disrupting critical services and operations. Organizations relying on Linux servers for web hosting, cloud infrastructure, container orchestration, or embedded systems could face operational downtime. The vulnerability does not directly indicate privilege escalation or data confidentiality breaches; however, system crashes could indirectly affect data integrity and availability. Given the widespread use of Linux in European enterprises, public sector, and telecommunications, the disruption potential is significant, especially in environments where uptime and reliability are critical. The lack of known exploits reduces immediate risk, but the complexity of the vulnerability and its kernel-level nature mean that sophisticated attackers or accidental triggers could cause impactful outages. Additionally, the vulnerability affects kernel memory management internals, which are foundational to system security and stability, so unpatched systems remain at risk of instability and potential exploitation in the future.
Mitigation Recommendations
To mitigate CVE-2025-21881, European organizations should: 1) Apply the official Linux kernel patches that address the zero folio reference counting and RSS count issues as soon as they become available from trusted Linux distribution vendors or the Linux kernel mainline. 2) Prioritize patching on systems running kernel versions identified as vulnerable, especially those used in production, cloud, or critical infrastructure environments. 3) Implement kernel live patching solutions where possible to reduce downtime during patch deployment. 4) Monitor kernel logs and system crash reports for symptoms related to bad page states or rss-count errors, which may indicate attempts to trigger this vulnerability. 5) Restrict unprivileged user access to debugging and tracing facilities that use uprobes, as exploitation requires triggering uprobe_write_opcode() paths. 6) Harden container and virtualization environments by limiting capabilities and isolating workloads to reduce the attack surface. 7) Maintain robust backup and recovery procedures to minimize impact from potential system crashes. 8) Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about updates and exploit developments related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-21881: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: uprobes: Reject the shared zeropage in uprobe_write_opcode() We triggered the following crash in syzkaller tests: BUG: Bad page state in process syz.7.38 pfn:1eff3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3 flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff) raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x32/0x50 bad_page+0x69/0xf0 free_unref_page_prepare+0x401/0x500 free_unref_page+0x6d/0x1b0 uprobe_write_opcode+0x460/0x8e0 install_breakpoint.part.0+0x51/0x80 register_for_each_vma+0x1d9/0x2b0 __uprobe_register+0x245/0x300 bpf_uprobe_multi_link_attach+0x29b/0x4f0 link_create+0x1e2/0x280 __sys_bpf+0x75f/0xac0 __x64_sys_bpf+0x1a/0x30 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1 The following syzkaller test case can be used to reproduce: r2 = creat(&(0x7f0000000000)='./file0\x00', 0x8) write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10) r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x42, 0x0) mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0) r5 = userfaultfd(0x80801) ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20}) r6 = userfaultfd(0x80801) ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140)) ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2}) ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}}) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000120000000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40) The cause is that zero pfn is set to the PTE without increasing the RSS count in mfill_atomic_pte_zeropage() and the refcount of zero folio does not increase accordingly. Then, the operation on the same pfn is performed in uprobe_write_opcode()->__replace_page() to unconditional decrease the RSS count and old_folio's refcount. Therefore, two bugs are introduced: 1. The RSS count is incorrect, when process exit, the check_mm() report error "Bad rss-count". 2. The reserved folio (zero folio) is freed when folio->refcount is zero, then free_pages_prepare->free_page_is_bad() report error "Bad page state". There is more, the following warning could also theoretically be triggered: __replace_page() -> ... -> folio_remove_rmap_pte() -> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio) Considering that uprobe hit on the zero folio is a very rare case, just reject zero old folio immediately after get_user_page_vma_remote(). [ mingo: Cleaned up the changelog ]
AI-Powered Analysis
Technical Analysis
CVE-2025-21881 is a vulnerability in the Linux kernel related to the uprobe subsystem, specifically in the function uprobe_write_opcode(). The issue arises from improper handling of the shared zero page (zero folio) during memory page reference counting. The vulnerability was discovered through syzkaller fuzz testing, which triggered kernel crashes due to bad page states and incorrect RSS (resident set size) counters. The root cause is that when a zero page frame number (pfn) is set in the page table entry (PTE) without incrementing the RSS count in mfill_atomic_pte_zeropage(), the zero folio's reference count is not increased accordingly. Subsequently, uprobe_write_opcode() calls __replace_page(), which unconditionally decrements the RSS count and the old folio's reference count. This leads to two critical bugs: (1) an incorrect RSS count causing "Bad rss-count" errors during process exit, and (2) premature freeing of the reserved zero folio when its reference count reaches zero, causing "Bad page state" errors. Additionally, a rare warning related to zero folio detection in __replace_page() could be triggered. The vulnerability is triggered when uprobe hits the zero folio, which is a rare case, but the fix involves rejecting zero old folios immediately after get_user_page_vma_remote() to prevent these errors. The vulnerability affects Linux kernel versions identified by the given commit hashes and was publicly disclosed on March 27, 2025. No known exploits are currently reported in the wild. This vulnerability impacts kernel stability and memory management integrity, potentially leading to system crashes or denial of service (DoS) conditions when exploited.
Potential Impact
For European organizations, the impact of CVE-2025-21881 primarily involves system stability and availability risks. Since the vulnerability can cause kernel crashes and memory corruption, affected Linux systems may experience unexpected reboots or denial of service, disrupting critical services and operations. Organizations relying on Linux servers for web hosting, cloud infrastructure, container orchestration, or embedded systems could face operational downtime. The vulnerability does not directly indicate privilege escalation or data confidentiality breaches; however, system crashes could indirectly affect data integrity and availability. Given the widespread use of Linux in European enterprises, public sector, and telecommunications, the disruption potential is significant, especially in environments where uptime and reliability are critical. The lack of known exploits reduces immediate risk, but the complexity of the vulnerability and its kernel-level nature mean that sophisticated attackers or accidental triggers could cause impactful outages. Additionally, the vulnerability affects kernel memory management internals, which are foundational to system security and stability, so unpatched systems remain at risk of instability and potential exploitation in the future.
Mitigation Recommendations
To mitigate CVE-2025-21881, European organizations should: 1) Apply the official Linux kernel patches that address the zero folio reference counting and RSS count issues as soon as they become available from trusted Linux distribution vendors or the Linux kernel mainline. 2) Prioritize patching on systems running kernel versions identified as vulnerable, especially those used in production, cloud, or critical infrastructure environments. 3) Implement kernel live patching solutions where possible to reduce downtime during patch deployment. 4) Monitor kernel logs and system crash reports for symptoms related to bad page states or rss-count errors, which may indicate attempts to trigger this vulnerability. 5) Restrict unprivileged user access to debugging and tracing facilities that use uprobes, as exploitation requires triggering uprobe_write_opcode() paths. 6) Harden container and virtualization environments by limiting capabilities and isolating workloads to reduce the attack surface. 7) Maintain robust backup and recovery procedures to minimize impact from potential system crashes. 8) Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about updates and exploit developments related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.782Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8ade
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 10:13:30 AM
Last updated: 7/27/2025, 4:10:29 PM
Views: 11
Related Threats
CVE-2025-43736: CWE-770 Allocation of Resources Without Limits or Throttling in Liferay Portal
MediumCVE-2025-8885: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.