CVE-2025-37868: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: drm/xe/userptr: fix notifier vs folio deadlock User is reporting what smells like notifier vs folio deadlock, where migrate_pages_batch() on core kernel side is holding folio lock(s) and then interacting with the mappings of it, however those mappings are tied to some userptr, which means calling into the notifier callback and grabbing the notifier lock. With perfect timing it looks possible that the pages we pulled from the hmm fault can get sniped by migrate_pages_batch() at the same time that we are holding the notifier lock to mark the pages as accessed/dirty, but at this point we also want to grab the folio locks(s) to mark them as dirty, but if they are contended from notifier/migrate_pages_batch side then we deadlock since folio lock won't be dropped until we drop the notifier lock. Fortunately the mark_page_accessed/dirty is not really needed in the first place it seems and should have already been done by hmm fault, so just remove it. (cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85)
AI Analysis
Technical Summary
CVE-2025-37868 is a concurrency vulnerability identified in the Linux kernel, specifically within the Direct Rendering Manager (DRM) subsystem's Xe user pointer handling code (drm/xe/userptr). The issue arises from a deadlock scenario involving the interaction between notifier callbacks and folio locks during memory page migration and marking operations. The root cause is a lock ordering conflict: the kernel function migrate_pages_batch() holds folio locks while interacting with memory mappings tied to user pointers, which triggers notifier callbacks that attempt to acquire notifier locks. Concurrently, these notifier callbacks try to mark pages as accessed or dirty, requiring acquisition of folio locks already held by migrate_pages_batch(). This circular lock dependency can cause a deadlock, halting kernel operations related to memory management. The vulnerability does not appear to affect confidentiality or integrity directly but impacts availability by potentially causing kernel hangs or system instability. The fix involved removing redundant calls to mark_page_accessed/dirty within the notifier callback, as these operations are already performed by the Heterogeneous Memory Management (HMM) fault handler, thus breaking the deadlock cycle. The affected Linux kernel versions include several recent commits prior to the patch. No known exploits are reported in the wild, and no CVSS score has been assigned yet. This vulnerability is primarily a stability and denial-of-service risk within Linux systems utilizing the DRM Xe user pointer functionality.
Potential Impact
For European organizations, the primary impact of CVE-2025-37868 is on system availability and stability, particularly for those running Linux kernels with DRM Xe user pointer support enabled. This vulnerability could lead to kernel deadlocks causing system hangs or crashes, disrupting critical services and applications. Organizations relying on Linux-based infrastructure for servers, workstations, or embedded devices in sectors such as finance, telecommunications, manufacturing, and public services may experience operational downtime. While the vulnerability does not directly expose data confidentiality or integrity, the resulting denial-of-service conditions could impair business continuity and service delivery. Additionally, environments with high concurrency memory operations or heavy graphical workloads using DRM may be more susceptible. Since no exploits are currently known, the immediate risk is moderate, but unpatched systems remain vulnerable to potential future exploitation or accidental triggering of the deadlock.
Mitigation Recommendations
To mitigate CVE-2025-37868, European organizations should: 1) Apply the official Linux kernel patch that removes the redundant mark_page_accessed/dirty calls in the notifier callback as soon as it is available from their Linux distribution vendors or upstream sources. 2) Monitor kernel updates and subscribe to security advisories from Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) to ensure timely patch deployment. 3) Conduct thorough testing of kernel updates in staging environments to verify stability and compatibility, especially for systems utilizing DRM Xe user pointer features. 4) Where possible, limit the use of DRM Xe user pointer functionality if it is not essential, as a temporary workaround to reduce exposure. 5) Implement robust system monitoring to detect signs of kernel deadlocks or hangs, enabling rapid incident response and system recovery. 6) Maintain comprehensive backups and high availability configurations to minimize operational impact in case of system outages. 7) Engage with hardware and software vendors to confirm support and patch availability for embedded or specialized Linux systems. These steps go beyond generic advice by focusing on specific subsystem awareness, patch management, and operational resilience tailored to this concurrency vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2025-37868: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe/userptr: fix notifier vs folio deadlock User is reporting what smells like notifier vs folio deadlock, where migrate_pages_batch() on core kernel side is holding folio lock(s) and then interacting with the mappings of it, however those mappings are tied to some userptr, which means calling into the notifier callback and grabbing the notifier lock. With perfect timing it looks possible that the pages we pulled from the hmm fault can get sniped by migrate_pages_batch() at the same time that we are holding the notifier lock to mark the pages as accessed/dirty, but at this point we also want to grab the folio locks(s) to mark them as dirty, but if they are contended from notifier/migrate_pages_batch side then we deadlock since folio lock won't be dropped until we drop the notifier lock. Fortunately the mark_page_accessed/dirty is not really needed in the first place it seems and should have already been done by hmm fault, so just remove it. (cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85)
AI-Powered Analysis
Technical Analysis
CVE-2025-37868 is a concurrency vulnerability identified in the Linux kernel, specifically within the Direct Rendering Manager (DRM) subsystem's Xe user pointer handling code (drm/xe/userptr). The issue arises from a deadlock scenario involving the interaction between notifier callbacks and folio locks during memory page migration and marking operations. The root cause is a lock ordering conflict: the kernel function migrate_pages_batch() holds folio locks while interacting with memory mappings tied to user pointers, which triggers notifier callbacks that attempt to acquire notifier locks. Concurrently, these notifier callbacks try to mark pages as accessed or dirty, requiring acquisition of folio locks already held by migrate_pages_batch(). This circular lock dependency can cause a deadlock, halting kernel operations related to memory management. The vulnerability does not appear to affect confidentiality or integrity directly but impacts availability by potentially causing kernel hangs or system instability. The fix involved removing redundant calls to mark_page_accessed/dirty within the notifier callback, as these operations are already performed by the Heterogeneous Memory Management (HMM) fault handler, thus breaking the deadlock cycle. The affected Linux kernel versions include several recent commits prior to the patch. No known exploits are reported in the wild, and no CVSS score has been assigned yet. This vulnerability is primarily a stability and denial-of-service risk within Linux systems utilizing the DRM Xe user pointer functionality.
Potential Impact
For European organizations, the primary impact of CVE-2025-37868 is on system availability and stability, particularly for those running Linux kernels with DRM Xe user pointer support enabled. This vulnerability could lead to kernel deadlocks causing system hangs or crashes, disrupting critical services and applications. Organizations relying on Linux-based infrastructure for servers, workstations, or embedded devices in sectors such as finance, telecommunications, manufacturing, and public services may experience operational downtime. While the vulnerability does not directly expose data confidentiality or integrity, the resulting denial-of-service conditions could impair business continuity and service delivery. Additionally, environments with high concurrency memory operations or heavy graphical workloads using DRM may be more susceptible. Since no exploits are currently known, the immediate risk is moderate, but unpatched systems remain vulnerable to potential future exploitation or accidental triggering of the deadlock.
Mitigation Recommendations
To mitigate CVE-2025-37868, European organizations should: 1) Apply the official Linux kernel patch that removes the redundant mark_page_accessed/dirty calls in the notifier callback as soon as it is available from their Linux distribution vendors or upstream sources. 2) Monitor kernel updates and subscribe to security advisories from Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) to ensure timely patch deployment. 3) Conduct thorough testing of kernel updates in staging environments to verify stability and compatibility, especially for systems utilizing DRM Xe user pointer features. 4) Where possible, limit the use of DRM Xe user pointer functionality if it is not essential, as a temporary workaround to reduce exposure. 5) Implement robust system monitoring to detect signs of kernel deadlocks or hangs, enabling rapid incident response and system recovery. 6) Maintain comprehensive backups and high availability configurations to minimize operational impact in case of system outages. 7) Engage with hardware and software vendors to confirm support and patch availability for embedded or specialized Linux systems. These steps go beyond generic advice by focusing on specific subsystem awareness, patch management, and operational resilience tailored to this concurrency vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.959Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9818c4522896dcbd7d38
Added to database: 5/21/2025, 9:08:40 AM
Last enriched: 7/4/2025, 12:41:48 AM
Last updated: 7/30/2025, 5:55:52 AM
Views: 13
Related Threats
CVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
UnknownCVE-2025-8959: CWE-59: Improper Link Resolution Before File Access (Link Following) in HashiCorp Shared library
HighCVE-2025-44201
LowCVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.