CVE-2025-38733 in Linuxinfo

Summary

by MITRE • 09/05/2025

In the Linux kernel, the following vulnerability has been resolved:

s390/mm: Do not map lowcore with identity mapping

Since the identity mapping is pinned to address zero the lowcore is always also mapped to address zero, this happens regardless of the relocate_lowcore command line option. If the option is specified the lowcore is mapped twice, instead of only once.

This means that NULL pointer accesses will succeed instead of causing an exception (low address protection still applies, but covers only parts). To fix this never map the first two pages of physical memory with the identity mapping.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 02/09/2026

The vulnerability described in CVE-2025-38733 represents a critical memory management flaw within the Linux kernel's s390 architecture implementation that fundamentally compromises system security through improper memory mapping behavior. This issue affects the lowcore memory management system which is essential for the proper operation of the Linux kernel on IBM System/390 mainframe architecture. The vulnerability stems from the kernel's handling of identity mapping for physical memory addresses, specifically when mapping the first two pages of physical memory, which contain critical system data structures including the lowcore area that is vital for kernel operation and system integrity.

The technical flaw manifests when the kernel attempts to map the lowcore memory area using identity mapping, which is a mechanism that maps physical addresses directly to virtual addresses without any offset or translation. The identity mapping is pinned to address zero in the kernel's virtual memory space, meaning that when the lowcore is mapped using this mechanism, it always gets placed at virtual address zero regardless of the system's configuration. This behavior is particularly problematic because the relocate_lowcore command line option, which is designed to move the lowcore to a different memory location for security purposes, is effectively ignored due to the mandatory identity mapping at address zero. The consequence is that the lowcore gets mapped twice - once through the identity mapping mechanism and once through the intended relocation mechanism, creating a dangerous overlap in memory mappings that fundamentally undermines the kernel's memory protection mechanisms.

The operational impact of this vulnerability is severe and directly affects the kernel's ability to enforce proper memory protection, particularly around NULL pointer dereferences that should normally trigger page fault exceptions. When the lowcore is incorrectly mapped at address zero through identity mapping, it creates a situation where NULL pointer accesses can succeed instead of causing the expected exceptions, effectively bypassing the kernel's fundamental memory protection mechanisms. This vulnerability creates a potential attack vector where malicious code could exploit the improper memory mapping to gain unauthorized access to kernel memory regions, potentially leading to privilege escalation, system compromise, or complete system takeover. The low address protection mechanism, while still active, only covers partial memory regions rather than providing comprehensive protection due to the overlapping memory mappings created by this flaw.

The mitigation strategy for this vulnerability requires modifying the kernel's memory management subsystem to prevent the mapping of the first two pages of physical memory using identity mapping, which would eliminate the double mapping issue and restore proper memory protection mechanisms. This fix aligns with the fundamental principles of secure memory management as outlined in the Common Weakness Enumeration (CWE) category CWE-129, which addresses improper handling of memory regions and the lack of proper bounds checking. The vulnerability demonstrates the importance of proper memory mapping and virtual memory management in preventing privilege escalation attacks, which is consistent with techniques described in the MITRE ATT&CK framework under the privilege escalation tactic. System administrators should ensure that affected kernels are updated with patches that implement the fix, which involves modifying the s390 architecture-specific memory management code to properly handle the lowcore mapping without the interference of identity mapping at address zero. The fix essentially prevents the kernel from creating the conflicting memory mappings that allow NULL pointer dereferences to succeed, thereby restoring the expected behavior where such accesses properly trigger page fault exceptions and maintain the integrity of the kernel's memory protection mechanisms.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/05/2025

Moderation

accepted

CPE

ready

EPSS

0.00143

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!