CVE-2025-38256 in Linuxinfo

Summary

by MITRE • 07/09/2025

In the Linux kernel, the following vulnerability has been resolved:

io_uring/rsrc: fix folio unpinning

syzbot complains about an unmapping failure:

[ 108.070381][ T14] kernel BUG at mm/gup.c:71!
[ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
[ 108.123672][ T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025
[ 108.127458][ T14] Workqueue: iou_exit io_ring_exit_work
[ 108.174205][ T14] Call trace:
[ 108.175649][ T14] sanity_check_pinned_pages+0x7cc/0x7d0 (P)
[ 108.178138][ T14] unpin_user_page+0x80/0x10c
[ 108.180189][ T14] io_release_ubuf+0x84/0xf8
[ 108.182196][ T14] io_free_rsrc_node+0x250/0x57c
[ 108.184345][ T14] io_rsrc_data_free+0x148/0x298
[ 108.186493][ T14] io_sqe_buffers_unregister+0x84/0xa0
[ 108.188991][ T14] io_ring_ctx_free+0x48/0x480
[ 108.191057][ T14] io_ring_exit_work+0x764/0x7d8
[ 108.193207][ T14] process_one_work+0x7e8/0x155c
[ 108.195431][ T14] worker_thread+0x958/0xed8
[ 108.197561][ T14] kthread+0x5fc/0x75c
[ 108.199362][ T14] ret_from_fork+0x10/0x20

We can pin a tail page of a folio, but then io_uring will try to unpin the head page of the folio. While it should be fine in terms of keeping the page actually alive, mm folks say it's wrong and triggers a debug warning. Use unpin_user_folio() instead of unpin_user_page*.

[axboe: adapt to current tree, massage commit message]

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/02/2026

The vulnerability identified as CVE-2025-38256 resides within the Linux kernel's io_uring subsystem, specifically concerning resource management during folio unpinning operations. This issue manifests as an internal kernel error that results in a kernel BUG and subsequent system crash. The problem occurs when the io_uring framework attempts to manage memory pages associated with folios, which are kernel data structures used to represent contiguous memory regions. The system generates a call trace indicating that the error originates from mm/gup.c at line 71, where a kernel assertion fails during the sanity check of pinned pages. This type of error directly impacts system stability and can lead to denial of service conditions, particularly in environments heavily reliant on io_uring for high-performance I/O operations.

The technical flaw stems from an incorrect approach to folio management within the io_uring resource cleanup process. When a folio is pinned, the system should maintain consistency in how the head and tail pages are handled during unpinning operations. The current implementation incorrectly attempts to unpin the head page of a folio while the tail page remains pinned, which violates kernel memory management principles. This mismatch triggers a debug warning from the memory management subsystem, specifically the generic user page handling code in mm/gup.c. The kernel's memory management team has identified this as an improper usage pattern that should instead employ the proper folio unpinning function unpin_user_folio() rather than the page-level unpinning functions. This inconsistency represents a violation of proper kernel memory management practices and is categorized under CWE-129, which deals with improper handling of memory resources.

The operational impact of this vulnerability extends beyond simple system crashes, as it affects the reliability of io_uring-based applications that are critical for high-performance computing environments. The io_uring subsystem is designed to provide efficient asynchronous I/O operations and is widely used in database servers, web servers, and other high-throughput applications. When this kernel BUG occurs, it can cause complete system instability, requiring manual intervention to reboot affected systems. The vulnerability particularly affects systems running kernel versions where the io_uring resource management has not been updated to use the proper folio handling functions. This type of vulnerability aligns with ATT&CK technique T1489, which involves affecting availability through kernel-level modifications, and represents a significant risk to system uptime and data integrity in production environments where io_uring is actively utilized.

Mitigation strategies for this vulnerability involve updating to kernel versions that contain the appropriate fix, which specifically addresses the use of unpin_user_folio() instead of the incorrect unpin_user_page* functions. System administrators should prioritize applying kernel updates that include this patch, particularly in production environments where io_uring is actively used for I/O operations. The fix involves modifying the io_uring resource management code to correctly handle folio structures by using the appropriate folio-level unpinning functions rather than page-level functions. Organizations should also implement monitoring systems to detect potential kernel BUG occurrences and establish incident response procedures for handling kernel-level crashes. Additionally, security teams should consider implementing kernel hardening measures such as kernel module signing and runtime integrity checking to prevent exploitation of similar memory management vulnerabilities. This vulnerability underscores the importance of proper kernel resource management and the need for rigorous testing of memory management operations in high-performance I/O subsystems.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00135

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!