CVE-2025-40336 in Linux
Summary
by MITRE • 12/09/2025
In the Linux kernel, the following vulnerability has been resolved:
drm/gpusvm: fix hmm_pfn_to_map_order() usage
Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here.
v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability CVE-2025-40336 addresses a critical memory management flaw within the Linux kernel's graphics processing unit subsystem, specifically affecting the drm/gpusvm component. This issue manifests in the improper handling of memory range mappings when dealing with huge pages, creating potential security risks that could allow unauthorized memory access patterns. The vulnerability arises from the incorrect implementation of the hmm_pfn_to_map_order() function which fails to properly account for partial huge page coverage scenarios. When a memory range partially overlaps with a huge page boundary - typically 2 megabyte pages - the kernel's memory management logic can inadvertently map memory regions that fall outside the intended range, potentially accessing unmapped or unauthorized memory sections. This misbehavior creates a pathway for memory corruption and could enable privilege escalation or information disclosure attacks. The flaw is particularly concerning in graphics processing contexts where GPU memory management interacts with user-space applications through the graphics subsystem.
The technical implementation of this vulnerability stems from the failure to properly validate memory range boundaries when processing huge page mappings. The kernel's memory management subsystem uses the hmm_pfn_to_map_order() function to determine appropriate mapping orders for memory pages, but this function does not adequately handle cases where a memory range intersects with huge page boundaries. When the range partially covers a huge page, the system can compute incorrect mapping parameters that result in attempting to map memory regions beyond the intended scope. This occurs because the existing code does not properly account for the relationship between the memory range boundaries and the huge page alignment requirements. The flaw is exacerbated by the fact that huge pages are commonly used in graphics processing units for performance optimization, making this vulnerability particularly impactful in GPU-intensive applications and systems. The improper memory mapping calculations can lead to memory corruption, data leakage, or potentially arbitrary code execution within kernel space.
The operational impact of CVE-2025-40336 extends beyond simple memory management issues to potentially compromise system security and stability. Systems utilizing graphics processing units with memory management features that rely on the drm/gpusvm subsystem are at risk, particularly those running graphics-intensive applications or serving graphics-related services. The vulnerability could enable attackers to access memory regions that should remain protected, potentially leading to privilege escalation attacks where malicious code could gain elevated system privileges. Additionally, the improper memory mapping behavior could cause system instability through memory corruption, leading to system crashes or hangs. This vulnerability affects systems where the kernel handles GPU memory management through the Graphics Processing Unit Virtual Memory subsystem, making it relevant to a wide range of computing environments including servers, desktop systems, and embedded devices that utilize graphics processing capabilities. The risk is particularly elevated in multi-user environments where GPU resources are shared, as the vulnerability could allow one user to access another user's memory space or system resources.
The fix for CVE-2025-40336 implements a defensive approach that aligns with established kernel memory management practices and follows the principles outlined in the ATT&CK framework for kernel-level vulnerabilities. The solution modifies the hmm_pfn_to_map_order() function to properly handle partial huge page coverage scenarios by incorporating proper boundary validation and range checking mechanisms. This approach is consistent with the kernel's memory management standards and ensures that memory mappings remain within the intended boundaries. The implementation references existing code patterns found in xe userptr functionality, demonstrating a coordinated approach to fixing similar issues across related subsystems. The fix incorporates kernel documentation improvements as part of the v2 update, enhancing maintainability and clarity for future development. The transition from fls to ilog2 function calls represents a more precise mathematical approach to calculating bit positions, reducing potential edge case failures in memory management calculations. This remediation approach aligns with CWE-129, which addresses improper validation of array indices and memory access boundaries, ensuring that memory operations remain within safe and intended parameters. The fix ensures that memory mappings respect the boundaries of the intended memory ranges while maintaining compatibility with existing graphics processing unit memory management workflows.
This vulnerability demonstrates the complex interplay between memory management subsystems and graphics processing unit virtual memory handling in modern Linux kernels. The issue highlights the importance of proper boundary checking in kernel memory management functions and the need for careful validation when dealing with huge page alignments. The fix addresses a fundamental flaw in how the kernel handles memory range mappings when huge pages are involved, ensuring that memory operations remain confined to the intended scope. Security practitioners should prioritize patching systems running affected kernel versions, particularly those with graphics processing capabilities, as this vulnerability could enable significant security breaches through improper memory access patterns. The remediation approach provides a solid foundation for preventing similar issues in related subsystems while maintaining compatibility with existing graphics processing workloads. Organizations should monitor for additional patches that may address related memory management vulnerabilities in the graphics subsystem, as this fix represents one aspect of a broader category of kernel memory management security concerns.