CVE-2025-37958: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: <TASK> try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.
AI Analysis
Technical Summary
CVE-2025-37958 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically related to the handling of Transparent Huge Pages (THP) during page migration. The flaw arises when migrating a THP, where concurrent access to the Page Middle Directory (PMD) migration entry during a deferred split scan can lead to dereferencing an invalid address. This occurs because the PMD migration entry may be accessed without proper validation, resulting in an invalid memory access or page fault. The root cause is a missing early check on the PMD migration entry before proceeding with operations that assume its validity. The vulnerability was discovered through syzkaller, a kernel fuzzing tool, and confirmed upstream. The bug manifests as a kernel crash with an inability to handle page faults, as shown in the provided kernel call trace. The fix involves adding a check on the PMD migration entry to return early if it is invalid, avoiding the use of pmd_to_swp_entry and pfn_swap_entry_to_page functions for verification, since the PMD migration entry is locked and cannot be the target of migration. This vulnerability affects Linux kernel versions containing the specified commit hashes, indicating it is present in recent kernel versions prior to the patch. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with Transparent Huge Pages enabled, which is common in many enterprise Linux distributions used in servers, cloud infrastructure, and embedded devices. Exploitation could lead to kernel crashes (denial of service) due to invalid memory accesses during page migration, potentially impacting availability of critical services. While there is no direct evidence of privilege escalation or data corruption, kernel crashes can disrupt operations, cause system instability, and require reboots, which is critical for high-availability environments. Organizations relying on Linux-based infrastructure for web services, databases, or virtualization could experience service interruptions. Additionally, embedded systems or IoT devices running affected kernels may be vulnerable to remote or local attacks causing device failures. The lack of known exploits reduces immediate risk, but the vulnerability's presence in the kernel memory management code means it could be targeted in the future. The impact on confidentiality and integrity is limited based on current information, but availability impact is moderate to high depending on the deployment context.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue is in the core kernel memory management, applying vendor-supplied kernel updates or backported patches is essential. For environments where immediate patching is not feasible, consider disabling Transparent Huge Pages (THP) as a temporary mitigation, although this may impact performance. Monitoring kernel logs for page fault errors or crashes related to split_huge_pmd_locked can help detect attempts to trigger this vulnerability. Implementing strict access controls and limiting untrusted code execution on affected systems can reduce exploitation risk. Organizations should also engage with their Linux distribution vendors to confirm patch availability and deployment timelines. For embedded devices, coordinate with hardware vendors for firmware/kernel updates. Finally, maintain robust backup and recovery procedures to minimize downtime in case of exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2025-37958: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: <TASK> try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.
AI-Powered Analysis
Technical Analysis
CVE-2025-37958 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically related to the handling of Transparent Huge Pages (THP) during page migration. The flaw arises when migrating a THP, where concurrent access to the Page Middle Directory (PMD) migration entry during a deferred split scan can lead to dereferencing an invalid address. This occurs because the PMD migration entry may be accessed without proper validation, resulting in an invalid memory access or page fault. The root cause is a missing early check on the PMD migration entry before proceeding with operations that assume its validity. The vulnerability was discovered through syzkaller, a kernel fuzzing tool, and confirmed upstream. The bug manifests as a kernel crash with an inability to handle page faults, as shown in the provided kernel call trace. The fix involves adding a check on the PMD migration entry to return early if it is invalid, avoiding the use of pmd_to_swp_entry and pfn_swap_entry_to_page functions for verification, since the PMD migration entry is locked and cannot be the target of migration. This vulnerability affects Linux kernel versions containing the specified commit hashes, indicating it is present in recent kernel versions prior to the patch. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with Transparent Huge Pages enabled, which is common in many enterprise Linux distributions used in servers, cloud infrastructure, and embedded devices. Exploitation could lead to kernel crashes (denial of service) due to invalid memory accesses during page migration, potentially impacting availability of critical services. While there is no direct evidence of privilege escalation or data corruption, kernel crashes can disrupt operations, cause system instability, and require reboots, which is critical for high-availability environments. Organizations relying on Linux-based infrastructure for web services, databases, or virtualization could experience service interruptions. Additionally, embedded systems or IoT devices running affected kernels may be vulnerable to remote or local attacks causing device failures. The lack of known exploits reduces immediate risk, but the vulnerability's presence in the kernel memory management code means it could be targeted in the future. The impact on confidentiality and integrity is limited based on current information, but availability impact is moderate to high depending on the deployment context.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue is in the core kernel memory management, applying vendor-supplied kernel updates or backported patches is essential. For environments where immediate patching is not feasible, consider disabling Transparent Huge Pages (THP) as a temporary mitigation, although this may impact performance. Monitoring kernel logs for page fault errors or crashes related to split_huge_pmd_locked can help detect attempts to trigger this vulnerability. Implementing strict access controls and limiting untrusted code execution on affected systems can reduce exploitation risk. Organizations should also engage with their Linux distribution vendors to confirm patch availability and deployment timelines. For embedded devices, coordinate with hardware vendors for firmware/kernel updates. Finally, maintain robust backup and recovery procedures to minimize downtime in case of exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.974Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeae87
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/3/2025, 6:57:13 PM
Last updated: 8/13/2025, 7:54:14 AM
Views: 21
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.