Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-38554— mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped

EPSS 0.02% · P5

Affected Version Matrix 8

VendorProductVersion RangeStatus
LinuxLinux3104138517fc66aad21f4a2487bb572e9fc2e3ec< 6e88fe54721dee17d3496bc998f0c7d243896348affected
3104138517fc66aad21f4a2487bb572e9fc2e3ec< 1bcd236a2536a451e385f8d6d2bb589689ec812faffected
3104138517fc66aad21f4a2487bb572e9fc2e3ec< 9bbffee67ffd16360179327b57f3b1245579ef08affected
6.15affected
< 6.15unaffected
6.15.10≤ 6.15.*unaffected
6.16.1≤ 6.16.*unaffected
6.17≤ *unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-38554

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped By inducing delays in the right places, Jann Horn created a reproducer for a hard to hit UAF issue that became possible after VMAs were allowed to be recycled by adding SLAB_TYPESAFE_BY_RCU to their cache. Race description is borrowed from Jann's discovery report: lock_vma_under_rcu() looks up a VMA locklessly with mas_walk() under rcu_read_lock(). At that point, the VMA may be concurrently freed, and it can be recycled by another process. vma_start_read() then increments the vma->vm_refcnt (if it is in an acceptable range), and if this succeeds, vma_start_read() can return a recycled VMA. In this scenario where the VMA has been recycled, lock_vma_under_rcu() will then detect the mismatching ->vm_mm pointer and drop the VMA through vma_end_read(), which calls vma_refcount_put(). vma_refcount_put() drops the refcount and then calls rcuwait_wake_up() using a copy of vma->vm_mm. This is wrong: It implicitly assumes that the caller is keeping the VMA's mm alive, but in this scenario the caller has no relation to the VMA's mm, so the rcuwait_wake_up() can cause UAF. The diagram depicting the race: T1 T2 T3 == == == lock_vma_under_rcu mas_walk <VMA gets removed from mm> mmap <the same VMA is reallocated> vma_start_read __refcount_inc_not_zero_limited_acquire munmap __vma_enter_locked refcount_add_not_zero vma_end_read vma_refcount_put __refcount_dec_and_test rcuwait_wait_event <finish operation> rcuwait_wake_up [UAF] Note that rcuwait_wait_event() in T3 does not block because refcount was already dropped by T1. At this point T3 can exit and free the mm causing UAF in T1. To avoid this we move vma->vm_mm verification into vma_start_read() and grab vma->vm_mm to stabilize it before vma_refcount_put() operation. [surenb@google.com: v3]
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于vma->mm释放后vma->vm_refcnt被丢弃,可能导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 3104138517fc66aad21f4a2487bb572e9fc2e3ec ~ 6e88fe54721dee17d3496bc998f0c7d243896348 -
LinuxLinux 6.15 -

II. Public POCs for CVE-2025-38554

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-38554

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-08-19 · 60 CVEs total

CVE-2025-38594iommu/vt-d: Fix UAF on sva unbind with pending IOPFs
CVE-2025-38614eventpoll: Fix semi-unbounded recursion
CVE-2025-38610powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()
CVE-2025-38609PM / devfreq: Check governor before using governor->name
CVE-2025-38608bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
CVE-2025-38612staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()
CVE-2025-38598drm/amdgpu: fix use-after-free in amdgpu_userq_suspend+0x51a/0x5a0
CVE-2025-38597drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port
CVE-2025-38595xen: fix UAF in dmabuf_exp_from_pages()
CVE-2025-38596drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code
CVE-2025-38599wifi: mt76: mt7996: Fix possible OOB access in mt7996_tx()
CVE-2025-38593Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()'
CVE-2025-38592Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv
CVE-2025-38591bpf: Reject narrower access to pointer ctx fields
CVE-2025-38590net/mlx5e: Remove skb secpath if xfrm state is not found
CVE-2025-38589neighbour: Fix null-ptr-deref in neigh_flush_dev().
CVE-2025-38588ipv6: prevent infinite loop in rt6_nlmsg_size()
CVE-2025-38587ipv6: fix possible infinite loop in fib6_info_uses_dev()
CVE-2025-38586bpf, arm64: Fix fp initialization for exception boundary
CVE-2025-38585staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()

Showing top 20 of 60 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-38554

No comments yet

Leave a comment