Description
In the Linux kernel, the following vulnerability has been resolved:

kernel: be more careful about dup_mmap() failures and uprobe registering

If a memory allocation fails during dup_mmap(), the maple tree can be left
in an unsafe state for other iterators besides the exit path. All the
locks are dropped before the exit_mmap() call (in mm/mmap.c), but the
incomplete mm_struct can be reached through (at least) the rmap finding
the vmas which have a pointer back to the mm_struct.

Up to this point, there have been no issues with being able to find an
mm_struct that was only partially initialised. Syzbot was able to make
the incomplete mm_struct fail with recent forking changes, so it has been
proven unsafe to use the mm_struct that hasn't been initialised, as
referenced in the link below.

Although 8ac662f5da19f ("fork: avoid inappropriate uprobe access to
invalid mm") fixed the uprobe access, it does not completely remove the
race.

This patch sets the MMF_OOM_SKIP to avoid the iteration of the vmas on the
oom side (even though this is extremely unlikely to be selected as an oom
victim in the race window), and sets MMF_UNSTABLE to avoid other potential
users from using a partially initialised mm_struct.

When registering vmas for uprobe, skip the vmas in an mm that is marked
unstable. Modifying a vma in an unstable mm may cause issues if the mm
isn't fully initialised.
Published: 2025-02-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A failure during the dup_mmap() routine when a memory allocation fails can leave the memory map tree in an unsafe state, exposing a partially initialised mm_struct to other iterators such as rmap and uprobe registrations. This incomplete mm_struct can be accessed before all initialization steps have completed, leading to potential memory corruption or kernel crashes. The kernel patch mitigates the issue by setting flags to skip OOM iterations and marking unsafely initialised mm_structs as unstable, thereby preventing their use during uprobe registration.

Affected Systems

All Linux kernel builds that have not incorporated the patch introduced in commit 64c37e134b120fb462fb4a80694bfb8e7be77b14 are potentially vulnerable. The CNA list identifies the product as Linux kernel in general; no specific version range is listed, so any kernel prior to the application of the fix is at risk.

Risk and Exploitability

The CVSS score of 5.5 denotes a medium severity vulnerability, while the EPSS score of less than 1% indicates a low exploitation likelihood. The vulnerability is not present in the CISA KEV catalog, and there is no documented remote exploitation path. Based on the description, it is inferred that a privileged local attacker who can induce dup_mmap() failures could trigger a denial of service or memory corruption.

Generated by OpenCVE AI on May 1, 2026 at 15:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes the patch for CVE-2025-21709, such as any release that integrates commit 64c37e134b120fb462fb4a80694bfb8e7be77b14.
  • If an immediate kernel upgrade is not possible, disable or restrict the use of uprobe functionality, which is the primary trigger for the unsafe mm_struct usage.
  • For custom kernel builds, apply the patch from the referenced commit to the source code and rebuild the kernel to ensure the fix is in place.

Generated by OpenCVE AI on May 1, 2026 at 15:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
EUVD EUVD EUVD-2025-5238 In the Linux kernel, the following vulnerability has been resolved: kernel: be more careful about dup_mmap() failures and uprobe registering If a memory allocation fails during dup_mmap(), the maple tree can be left in an unsafe state for other iterators besides the exit path. All the locks are dropped before the exit_mmap() call (in mm/mmap.c), but the incomplete mm_struct can be reached through (at least) the rmap finding the vmas which have a pointer back to the mm_struct. Up to this point, there have been no issues with being able to find an mm_struct that was only partially initialised. Syzbot was able to make the incomplete mm_struct fail with recent forking changes, so it has been proven unsafe to use the mm_struct that hasn't been initialised, as referenced in the link below. Although 8ac662f5da19f ("fork: avoid inappropriate uprobe access to invalid mm") fixed the uprobe access, it does not completely remove the race. This patch sets the MMF_OOM_SKIP to avoid the iteration of the vmas on the oom side (even though this is extremely unlikely to be selected as an oom victim in the race window), and sets MMF_UNSTABLE to avoid other potential users from using a partially initialised mm_struct. When registering vmas for uprobe, skip the vmas in an mm that is marked unstable. Modifying a vma in an unstable mm may cause issues if the mm isn't fully initialised.
History

Wed, 22 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Wed, 30 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Fri, 28 Feb 2025 02:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 27 Feb 2025 02:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: kernel: be more careful about dup_mmap() failures and uprobe registering If a memory allocation fails during dup_mmap(), the maple tree can be left in an unsafe state for other iterators besides the exit path. All the locks are dropped before the exit_mmap() call (in mm/mmap.c), but the incomplete mm_struct can be reached through (at least) the rmap finding the vmas which have a pointer back to the mm_struct. Up to this point, there have been no issues with being able to find an mm_struct that was only partially initialised. Syzbot was able to make the incomplete mm_struct fail with recent forking changes, so it has been proven unsafe to use the mm_struct that hasn't been initialised, as referenced in the link below. Although 8ac662f5da19f ("fork: avoid inappropriate uprobe access to invalid mm") fixed the uprobe access, it does not completely remove the race. This patch sets the MMF_OOM_SKIP to avoid the iteration of the vmas on the oom side (even though this is extremely unlikely to be selected as an oom victim in the race window), and sets MMF_UNSTABLE to avoid other potential users from using a partially initialised mm_struct. When registering vmas for uprobe, skip the vmas in an mm that is marked unstable. Modifying a vma in an unstable mm may cause issues if the mm isn't fully initialised.
Title kernel: be more careful about dup_mmap() failures and uprobe registering
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T21:04:53.434Z

Reserved: 2024-12-29T08:45:45.752Z

Link: CVE-2025-21709

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2025-02-27T02:15:14.560

Modified: 2026-04-22T13:16:18.707

Link: CVE-2025-21709

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-02-27T00:00:00Z

Links: CVE-2025-21709 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:15:20Z

Weaknesses