Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful. But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems. To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables. Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios. Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 5.7, < 5.10.241 |
| Debian | Debian Linux | 11.0 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/1636b5e9c3543b87d673e32a47e7c18698882425Patch
- https://git.kernel.org/stable/c/3ee9a8c27bfd72c3f465004fa8455785d61be5e8Patch
- https://git.kernel.org/stable/c/59305202c67fea50378dcad0cc199dbc13a0e99aPatch
- https://git.kernel.org/stable/c/67995d4244694928ce701928e530b5b4adeb17b4Patch
- https://git.kernel.org/stable/c/69bea84b06b5e779627e7afdbf4b60a7d231c76fPatch
- https://git.kernel.org/stable/c/ac25ec5fa2bf6e606dc7954488e4dded272fa9cdPatch
- https://git.kernel.org/stable/c/ca8c414499f2e5337a95a76be0d21b728ee31c6bPatch
- https://git.kernel.org/stable/c/ff40839e018b82c4d756d035f34a63aa2d93be83Patch
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlThird Party Advisory
- https://cert-portal.siemens.com/productcert/html/ssa-032379.html
FAQ
What is CVE-2025-38681?
CVE-2025-38681 is a vulnerability with a CVSS score of 4.7 (MEDIUM). In the Linux kernel, the following vulnerability has been resolved: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Memory hot remove unmaps and tears down various kernel page table...
How severe is CVE-2025-38681?
CVE-2025-38681 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-38681?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux.