CVE-2025-38084
Description
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: unshare page tables during VMA split, not before Currently, __split_vma() triggers hugetlb page table unsharing through vm_ops->may_split(). This happens before the VMA lock and rmap locks are taken - which is too early, it allows racing VMA-locked page faults in our process and racing rmap walks from other processes to cause page tables to be shared again before we actually perform the split. Fix it by explicitly calling into the hugetlb unshare logic from __split_vma() in the same place where THP splitting also happens. At that point, both the VMA and the rmap(s) are write-locked. An annoying detail is that we can now call into the helper hugetlb_unshare_pmds() from two different locking contexts: 1. from hugetlb_split(), holding: - mmap lock (exclusively) - VMA lock - file rmap lock (exclusively) 2. hugetlb_unshare_all_pmds(), which I think is designed to be able to call us with only the mmap lock held (in shared mode), but currently only runs while holding mmap lock (exclusively) and VMA lock Backporting note: This commit fixes a racy protection that was introduced in commit b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that commit claimed to fix an issue introduced in 5.13, but it should actually also go all the way back. [jannh@google.com: v2]
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| sles | affected | | |
| debian | bookworm | fixed | 6.1.147-1 |
| debian | bullseye | fixed | 5.10.244-1 |
| debian | forky | fixed | 6.12.35-1 |
| debian | sid | fixed | 6.12.35-1 |
| debian | trixie | fixed | 6.12.35-1 |
| almalinux | 9 | fixed | kernel-debug-devel-5.14.0-570.35.1.el9_6.aarch64.rpm |
References
- https://access.redhat.com/errata/RHSA-2025:13962
- https://www.suse.com/security/cve/CVE-2025-38084.html
- https://security-tracker.debian.org/tracker/CVE-2025-38084
- https://bugzilla.redhat.com/2355334
- https://bugzilla.redhat.com/2366125
- https://bugzilla.redhat.com/2375303
- https://bugzilla.redhat.com/2375304
- https://bugzilla.redhat.com/2376041
- https://bugzilla.redhat.com/2376064
- https://bugzilla.redhat.com/2378982
- https://bugzilla.redhat.com/2383381
- https://bugzilla.redhat.com/2383893
- https://errata.almalinux.org/9/ALSA-2025-13962.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.