CVE-2025-21696
Linux Kernel Userfaultfd Write Protection Flag Clearing Vulnerability
Description
In the Linux kernel, the following vulnerability has been resolved: mm: clear uffd-wp PTE/PMD state on mremap() When mremap()ing a memory region previously registered with userfaultfd as write-protected but without UFFD_FEATURE_EVENT_REMAP, an inconsistency in flag clearing leads to a mismatch between the vma flags (which have uffd-wp cleared) and the pte/pmd flags (which do not have uffd-wp cleared). This mismatch causes a subsequent mprotect(PROT_WRITE) to trigger a warning in page_table_check_pte_flags() due to setting the pte to writable while uffd-wp is still set. Fix this by always explicitly clearing the uffd-wp pte/pmd flags on any such mremap() so that the values are consistent with the existing clearing of VM_UFFD_WP. Be careful to clear the logical flag regardless of its physical form; a PTE bit, a swap PTE bit, or a PTE marker. Cover PTE, huge PMD and hugetlb paths.
INFO
Published Date :
Feb. 12, 2025, 2:15 p.m.
Last Modified :
Feb. 14, 2025, 3:42 p.m.
Remotely Exploit :
No
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | [email protected] |
Solution
- Update the Linux kernel to a patched version.
- Ensure userfaultfd write-protection flags are cleared correctly.
- Verify memory region states after mremap operations.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-21696.
| URL | Resource |
|---|---|
| https://git.kernel.org/stable/c/0cef0bb836e3cfe00f08f9606c72abd72fe78ca3 | Patch |
| https://git.kernel.org/stable/c/310ac886d68de661c3a334198d8604b722d7fdf8 | Patch |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-21696 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-21696
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-21696 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2025-21696 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Feb. 14, 2025
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Added CWE NIST NVD-CWE-noinfo Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.7 up to (excluding) 6.12.11 *cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:* Changed Reference Type https://git.kernel.org/stable/c/0cef0bb836e3cfe00f08f9606c72abd72fe78ca3 No Types Assigned https://git.kernel.org/stable/c/0cef0bb836e3cfe00f08f9606c72abd72fe78ca3 Patch Changed Reference Type https://git.kernel.org/stable/c/310ac886d68de661c3a334198d8604b722d7fdf8 No Types Assigned https://git.kernel.org/stable/c/310ac886d68de661c3a334198d8604b722d7fdf8 Patch -
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Feb. 12, 2025
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: mm: clear uffd-wp PTE/PMD state on mremap() When mremap()ing a memory region previously registered with userfaultfd as write-protected but without UFFD_FEATURE_EVENT_REMAP, an inconsistency in flag clearing leads to a mismatch between the vma flags (which have uffd-wp cleared) and the pte/pmd flags (which do not have uffd-wp cleared). This mismatch causes a subsequent mprotect(PROT_WRITE) to trigger a warning in page_table_check_pte_flags() due to setting the pte to writable while uffd-wp is still set. Fix this by always explicitly clearing the uffd-wp pte/pmd flags on any such mremap() so that the values are consistent with the existing clearing of VM_UFFD_WP. Be careful to clear the logical flag regardless of its physical form; a PTE bit, a swap PTE bit, or a PTE marker. Cover PTE, huge PMD and hugetlb paths. Added Reference https://git.kernel.org/stable/c/0cef0bb836e3cfe00f08f9606c72abd72fe78ca3 Added Reference https://git.kernel.org/stable/c/310ac886d68de661c3a334198d8604b722d7fdf8