CVE-2025-21709

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-21709
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21709.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21709
Downstream
Published
2025-02-27T02:07:22Z
Modified
2025-10-17T21:17:20.976507Z
Summary
kernel: be more careful about dup_mmap() failures and uprobe registering
Details

In the Linux kernel, the following vulnerability has been resolved:

kernel: be more careful about dup_mmap() failures and uprobe registering

If a memory allocation fails during dupmmap(), the maple tree can be left in an unsafe state for other iterators besides the exit path. All the locks are dropped before the exitmmap() call (in mm/mmap.c), but the incomplete mmstruct can be reached through (at least) the rmap finding the vmas which have a pointer back to the mmstruct.

Up to this point, there have been no issues with being able to find an mmstruct that was only partially initialised. Syzbot was able to make the incomplete mmstruct fail with recent forking changes, so it has been proven unsafe to use the mm_struct that hasn't been initialised, as referenced in the link below.

Although 8ac662f5da19f ("fork: avoid inappropriate uprobe access to invalid mm") fixed the uprobe access, it does not completely remove the race.

This patch sets the MMFOOMSKIP to avoid the iteration of the vmas on the oom side (even though this is extremely unlikely to be selected as an oom victim in the race window), and sets MMFUNSTABLE to avoid other potential users from using a partially initialised mmstruct.

When registering vmas for uprobe, skip the vmas in an mm that is marked unstable. Modifying a vma in an unstable mm may cause issues if the mm isn't fully initialised.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d2406291483775ecddaee929231a39c70c08fda2
Fixed
da139948aeda677ac09cc0e7d837f8a314de7d55
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d2406291483775ecddaee929231a39c70c08fda2
Fixed
64c37e134b120fb462fb4a80694bfb8e7be77b14

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.7
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.13.2