CVE-2025-21984: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm: fix kernel BUG when userfaultfd_move encounters swapcache userfaultfd_move() checks whether the PTE entry is present or a swap entry. - If the PTE entry is present, move_present_pte() handles folio migration by setting: src_folio->index = linear_page_index(dst_vma, dst_addr); - If the PTE entry is a swap entry, move_swap_pte() simply copies the PTE to the new dst_addr. This approach is incorrect because, even if the PTE is a swap entry, it can still reference a folio that remains in the swap cache. This creates a race window between steps 2 and 4. 1. add_to_swap: The folio is added to the swapcache. 2. try_to_unmap: PTEs are converted to swap entries. 3. pageout: The folio is written back. 4. Swapcache is cleared. If userfaultfd_move() occurs in the window between steps 2 and 4, after the swap PTE has been moved to the destination, accessing the destination triggers do_swap_page(), which may locate the folio in the swapcache. However, since the folio's index has not been updated to match the destination VMA, do_swap_page() will detect a mismatch. This can result in two critical issues depending on the system configuration. If KSM is disabled, both small and large folios can trigger a BUG during the add_rmap operation due to: page_pgoff(folio, page) != linear_page_index(vma, address) [ 13.336953] page: refcount:6 mapcount:1 mapping:00000000f43db19c index:0xffffaf150 pfn:0x4667c [ 13.337520] head: order:2 mapcount:1 entire_mapcount:0 nr_pages_mapped:1 pincount:0 [ 13.337716] memcg:ffff00000405f000 [ 13.337849] anon flags: 0x3fffc0000020459(locked|uptodate|dirty|owner_priv_1|head|swapbacked|node=0|zone=0|lastcpupid=0xffff) [ 13.338630] raw: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361 [ 13.338831] raw: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000 [ 13.339031] head: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361 [ 13.339204] head: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000 [ 13.339375] head: 03fffc0000000202 fffffdffc0199f01 ffffffff00000000 0000000000000001 [ 13.339546] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 13.339736] page dumped because: VM_BUG_ON_PAGE(page_pgoff(folio, page) != linear_page_index(vma, address)) [ 13.340190] ------------[ cut here ]------------ [ 13.340316] kernel BUG at mm/rmap.c:1380! [ 13.340683] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ 13.340969] Modules linked in: [ 13.341257] CPU: 1 UID: 0 PID: 107 Comm: a.out Not tainted 6.14.0-rc3-gcf42737e247a-dirty #299 [ 13.341470] Hardware name: linux,dummy-virt (DT) [ 13.341671] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 13.341815] pc : __page_check_anon_rmap+0xa0/0xb0 [ 13.341920] lr : __page_check_anon_rmap+0xa0/0xb0 [ 13.342018] sp : ffff80008752bb20 [ 13.342093] x29: ffff80008752bb20 x28: fffffdffc0199f00 x27: 0000000000000001 [ 13.342404] x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000001 [ 13.342575] x23: 0000ffffaf0d0000 x22: 0000ffffaf0d0000 x21: fffffdffc0199f00 [ 13.342731] x20: fffffdffc0199f00 x19: ffff000006210700 x18: 00000000ffffffff [ 13.342881] x17: 6c203d2120296567 x16: 6170202c6f696c6f x15: 662866666f67705f [ 13.343033] x14: 6567617028454741 x13: 2929737365726464 x12: ffff800083728ab0 [ 13.343183] x11: ffff800082996bf8 x10: 0000000000000fd7 x9 : ffff80008011bc40 [ 13.343351] x8 : 0000000000017fe8 x7 : 00000000fffff000 x6 : ffff8000829eebf8 [ 13.343498] x5 : c0000000fffff000 x4 : 0000000000000000 x3 : 0000000000000000 [ 13.343645] x2 : 0000000000000000 x1 : ffff0000062db980 x0 : 000000000000005f [ 13.343876] Call trace: [ 13.344045] __page_check_anon_rmap+0xa0/0xb0 (P) [ 13.344234] folio_add_anon_rmap_ptes+0x22c/0x320 [ 13.344333] do_swap_page+0x1060/0x1400 [ 13.344417] __handl ---truncated---
AI Analysis
Technical Summary
CVE-2025-21984 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically related to the userfaultfd_move() function. This function is responsible for handling page table entries (PTEs) during memory migration operations. The vulnerability arises from an incorrect handling of PTEs that are swap entries but still reference folios present in the swap cache. The flawed logic assumes that if a PTE is a swap entry, it can be simply copied to the destination address without updating the folio's index. However, since the folio remains in the swap cache, this leads to a race condition between the conversion of PTEs to swap entries and the clearing of the swap cache. If userfaultfd_move() executes during this window, the destination PTE points to a folio whose index does not match the destination virtual memory area (VMA). This mismatch triggers a kernel BUG during operations such as add_rmap, which relies on consistent page offsets. The bug manifests as a kernel panic or oops, causing system instability or crashes. The issue is exacerbated when Kernel Samepage Merging (KSM) is disabled, affecting both small and large folios. The vulnerability stems from a fundamental race condition in the kernel's memory management code, potentially leading to denial of service (DoS) via kernel crashes. No evidence currently suggests privilege escalation or arbitrary code execution, but the kernel panic impact is severe for system availability. The vulnerability affects Linux kernel versions identified by the commit hash adef440691bab824e39c1b17382322d195e1fab0 and similar builds. No CVSS score has been assigned yet, and no known exploits are reported in the wild as of the publication date (April 1, 2025).
Potential Impact
For European organizations, the impact of CVE-2025-21984 primarily concerns system availability and reliability. Linux is widely deployed across European enterprises, government agencies, cloud providers, and critical infrastructure sectors. A kernel BUG leading to system crashes can cause denial of service, disrupting business operations, data processing, and service delivery. Systems running workloads with frequent memory migration or userfaultfd usage—such as virtualized environments, container orchestration platforms, and high-performance computing clusters—are particularly at risk. The instability may also complicate incident response and recovery efforts. While no direct data confidentiality or integrity compromise is indicated, the operational disruption could indirectly affect compliance with regulations like GDPR if services become unavailable or data processing is interrupted. Furthermore, critical sectors such as finance, healthcare, and energy that rely on Linux-based systems for core operations could face significant operational risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future weaponization by attackers targeting availability.
Mitigation Recommendations
To mitigate CVE-2025-21984, European organizations should: 1) Apply the official Linux kernel patches addressing this vulnerability as soon as they become available, ensuring that all affected systems are updated promptly. 2) Prioritize patching for systems running kernel versions identified as vulnerable, especially those involved in virtualization, containerization, or memory-intensive workloads. 3) Enable Kernel Samepage Merging (KSM) where feasible, as the vulnerability impact is more severe when KSM is disabled; enabling KSM may reduce the likelihood of triggering the kernel BUG. 4) Implement robust monitoring of kernel logs and system stability to detect early signs of kernel panics or oops events related to memory management. 5) For critical production environments, consider staged rollouts and thorough testing of kernel updates to avoid unintended disruptions. 6) Maintain comprehensive backups and disaster recovery plans to minimize downtime in case of crashes. 7) Limit user access to privileged operations that could trigger userfaultfd_move() calls, reducing the attack surface. 8) Collaborate with Linux distribution vendors and security communities to stay informed about patch releases and exploit developments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Italy, Spain, Poland
CVE-2025-21984: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm: fix kernel BUG when userfaultfd_move encounters swapcache userfaultfd_move() checks whether the PTE entry is present or a swap entry. - If the PTE entry is present, move_present_pte() handles folio migration by setting: src_folio->index = linear_page_index(dst_vma, dst_addr); - If the PTE entry is a swap entry, move_swap_pte() simply copies the PTE to the new dst_addr. This approach is incorrect because, even if the PTE is a swap entry, it can still reference a folio that remains in the swap cache. This creates a race window between steps 2 and 4. 1. add_to_swap: The folio is added to the swapcache. 2. try_to_unmap: PTEs are converted to swap entries. 3. pageout: The folio is written back. 4. Swapcache is cleared. If userfaultfd_move() occurs in the window between steps 2 and 4, after the swap PTE has been moved to the destination, accessing the destination triggers do_swap_page(), which may locate the folio in the swapcache. However, since the folio's index has not been updated to match the destination VMA, do_swap_page() will detect a mismatch. This can result in two critical issues depending on the system configuration. If KSM is disabled, both small and large folios can trigger a BUG during the add_rmap operation due to: page_pgoff(folio, page) != linear_page_index(vma, address) [ 13.336953] page: refcount:6 mapcount:1 mapping:00000000f43db19c index:0xffffaf150 pfn:0x4667c [ 13.337520] head: order:2 mapcount:1 entire_mapcount:0 nr_pages_mapped:1 pincount:0 [ 13.337716] memcg:ffff00000405f000 [ 13.337849] anon flags: 0x3fffc0000020459(locked|uptodate|dirty|owner_priv_1|head|swapbacked|node=0|zone=0|lastcpupid=0xffff) [ 13.338630] raw: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361 [ 13.338831] raw: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000 [ 13.339031] head: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361 [ 13.339204] head: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000 [ 13.339375] head: 03fffc0000000202 fffffdffc0199f01 ffffffff00000000 0000000000000001 [ 13.339546] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 13.339736] page dumped because: VM_BUG_ON_PAGE(page_pgoff(folio, page) != linear_page_index(vma, address)) [ 13.340190] ------------[ cut here ]------------ [ 13.340316] kernel BUG at mm/rmap.c:1380! [ 13.340683] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ 13.340969] Modules linked in: [ 13.341257] CPU: 1 UID: 0 PID: 107 Comm: a.out Not tainted 6.14.0-rc3-gcf42737e247a-dirty #299 [ 13.341470] Hardware name: linux,dummy-virt (DT) [ 13.341671] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 13.341815] pc : __page_check_anon_rmap+0xa0/0xb0 [ 13.341920] lr : __page_check_anon_rmap+0xa0/0xb0 [ 13.342018] sp : ffff80008752bb20 [ 13.342093] x29: ffff80008752bb20 x28: fffffdffc0199f00 x27: 0000000000000001 [ 13.342404] x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000001 [ 13.342575] x23: 0000ffffaf0d0000 x22: 0000ffffaf0d0000 x21: fffffdffc0199f00 [ 13.342731] x20: fffffdffc0199f00 x19: ffff000006210700 x18: 00000000ffffffff [ 13.342881] x17: 6c203d2120296567 x16: 6170202c6f696c6f x15: 662866666f67705f [ 13.343033] x14: 6567617028454741 x13: 2929737365726464 x12: ffff800083728ab0 [ 13.343183] x11: ffff800082996bf8 x10: 0000000000000fd7 x9 : ffff80008011bc40 [ 13.343351] x8 : 0000000000017fe8 x7 : 00000000fffff000 x6 : ffff8000829eebf8 [ 13.343498] x5 : c0000000fffff000 x4 : 0000000000000000 x3 : 0000000000000000 [ 13.343645] x2 : 0000000000000000 x1 : ffff0000062db980 x0 : 000000000000005f [ 13.343876] Call trace: [ 13.344045] __page_check_anon_rmap+0xa0/0xb0 (P) [ 13.344234] folio_add_anon_rmap_ptes+0x22c/0x320 [ 13.344333] do_swap_page+0x1060/0x1400 [ 13.344417] __handl ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21984 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically related to the userfaultfd_move() function. This function is responsible for handling page table entries (PTEs) during memory migration operations. The vulnerability arises from an incorrect handling of PTEs that are swap entries but still reference folios present in the swap cache. The flawed logic assumes that if a PTE is a swap entry, it can be simply copied to the destination address without updating the folio's index. However, since the folio remains in the swap cache, this leads to a race condition between the conversion of PTEs to swap entries and the clearing of the swap cache. If userfaultfd_move() executes during this window, the destination PTE points to a folio whose index does not match the destination virtual memory area (VMA). This mismatch triggers a kernel BUG during operations such as add_rmap, which relies on consistent page offsets. The bug manifests as a kernel panic or oops, causing system instability or crashes. The issue is exacerbated when Kernel Samepage Merging (KSM) is disabled, affecting both small and large folios. The vulnerability stems from a fundamental race condition in the kernel's memory management code, potentially leading to denial of service (DoS) via kernel crashes. No evidence currently suggests privilege escalation or arbitrary code execution, but the kernel panic impact is severe for system availability. The vulnerability affects Linux kernel versions identified by the commit hash adef440691bab824e39c1b17382322d195e1fab0 and similar builds. No CVSS score has been assigned yet, and no known exploits are reported in the wild as of the publication date (April 1, 2025).
Potential Impact
For European organizations, the impact of CVE-2025-21984 primarily concerns system availability and reliability. Linux is widely deployed across European enterprises, government agencies, cloud providers, and critical infrastructure sectors. A kernel BUG leading to system crashes can cause denial of service, disrupting business operations, data processing, and service delivery. Systems running workloads with frequent memory migration or userfaultfd usage—such as virtualized environments, container orchestration platforms, and high-performance computing clusters—are particularly at risk. The instability may also complicate incident response and recovery efforts. While no direct data confidentiality or integrity compromise is indicated, the operational disruption could indirectly affect compliance with regulations like GDPR if services become unavailable or data processing is interrupted. Furthermore, critical sectors such as finance, healthcare, and energy that rely on Linux-based systems for core operations could face significant operational risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future weaponization by attackers targeting availability.
Mitigation Recommendations
To mitigate CVE-2025-21984, European organizations should: 1) Apply the official Linux kernel patches addressing this vulnerability as soon as they become available, ensuring that all affected systems are updated promptly. 2) Prioritize patching for systems running kernel versions identified as vulnerable, especially those involved in virtualization, containerization, or memory-intensive workloads. 3) Enable Kernel Samepage Merging (KSM) where feasible, as the vulnerability impact is more severe when KSM is disabled; enabling KSM may reduce the likelihood of triggering the kernel BUG. 4) Implement robust monitoring of kernel logs and system stability to detect early signs of kernel panics or oops events related to memory management. 5) For critical production environments, consider staged rollouts and thorough testing of kernel updates to avoid unintended disruptions. 6) Maintain comprehensive backups and disaster recovery plans to minimize downtime in case of crashes. 7) Limit user access to privileged operations that could trigger userfaultfd_move() calls, reducing the attack surface. 8) Collaborate with Linux distribution vendors and security communities to stay informed about patch releases and exploit developments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.799Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8e27
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 11:28:25 AM
Last updated: 8/11/2025, 5:22:25 PM
Views: 16
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.