CVE-2025-22045 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs

On the following path, flush_tlb_range() can be used for zapping normal PMD entries (PMD entries that point to page tables) together with the PTE entries in the pointed-to page table:

collapse_pte_mapped_thp pmdp_collapse_flush flush_tlb_range

The arm64 version of flush_tlb_range() has a comment describing that it can be used for page table removal, and does not use any last-level invalidation optimizations. Fix the X86 version by making it behave the same way.

Currently, X86 only uses this information for the following two purposes, which I think means the issue doesn't have much impact:

- In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be IPI'd to avoid issues with speculative page table walks. - In Hyper-V TLB paravirtualization, again for lazy TLB stuff.

The patch "x86/mm: only invalidate final translations with INVLPGB" which is currently under review (see <https://lore.kernel.org/all/[email protected]/>) would probably be making the impact of this a lot worse.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability CVE-2025-22045 addresses a critical inconsistency in the x86 memory management subsystem of the Linux kernel related to TLB (Translation Lookaside Buffer) handling during page table manipulation operations. This issue specifically affects the flush_tlb_range() function which is responsible for invalidating TLB entries when page table entries are modified or removed. The vulnerability stems from a behavioral difference between the x86 and arm64 implementations of this function, where the arm64 version properly handles page table removal scenarios while the x86 version does not.

The technical flaw occurs within the memory management path involving collapse_pte_mapped_thp function which triggers pmdp_collapse_flush and subsequently flush_tlb_range operations. When normal PMD (Page Middle Directory) entries that point to page tables are being zapped together with their associated PTE (Page Table Entry) entries, the x86 implementation fails to properly account for this scenario. This discrepancy becomes problematic because the x86 version does not implement the same safeguards as the arm64 version that explicitly handles page table removal operations without utilizing last-level invalidation optimizations. According to CWE-119, this represents an improper restriction of operations within the memory management subsystem where the kernel fails to properly manage memory access controls during page table modifications.

The operational impact of this vulnerability manifests primarily in scenarios involving transparent huge page (THP) collapse operations where page table entries are being modified or removed. The vulnerability affects systems utilizing lazy TLB (Translation Lookaside Buffer) implementations, particularly those running on Hyper-V virtualized environments where TLB paravirtualization is employed. The current impact is considered limited because the x86 implementation only uses this information for two specific purposes: determining whether to send IPIs (Inter-Processor Interrupts) to lazy TLB CPUs during speculative page table walks, and managing Hyper-V TLB paravirtualization for lazy TLB operations. However, the vulnerability could become significantly more severe with the pending patch "x86/mm: only invalidate final translations with INVLPGB" which would expand the scope of TLB invalidation operations and potentially expose systems to more extensive memory management issues.

The mitigation strategy involves aligning the x86 implementation of flush_tlb_range() with the arm64 version by ensuring that it properly handles page table removal scenarios without relying on last-level invalidation optimizations. This approach ensures that when PMD entries pointing to page tables are being zapped, the TLB invalidation process correctly accounts for the removal of entire page table structures rather than just individual entries. The fix essentially makes the x86 kernel behavior consistent with other architectures and follows the principle of least privilege by ensuring proper memory management operations during page table modifications. This aligns with ATT&CK technique T1059.003 which involves system service manipulation and T1547.001 which covers registry run keys and startup folder modifications, as proper memory management is essential for maintaining system integrity and preventing unauthorized access through memory manipulation techniques.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00176

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!