{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21984","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.799Z","datePublished":"2025-04-01T15:47:11.523Z","dateUpdated":"2026-05-11T21:10:23.419Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:10:23.419Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix kernel BUG when userfaultfd_move encounters swapcache\n\nuserfaultfd_move() checks whether the PTE entry is present or a\nswap entry.\n\n- If the PTE entry is present, move_present_pte() handles folio\n  migration by setting:\n\n  src_folio->index = linear_page_index(dst_vma, dst_addr);\n\n- If the PTE entry is a swap entry, move_swap_pte() simply copies\n  the PTE to the new dst_addr.\n\nThis approach is incorrect because, even if the PTE is a swap entry,\nit can still reference a folio that remains in the swap cache.\n\nThis creates a race window between steps 2 and 4.\n 1. add_to_swap: The folio is added to the swapcache.\n 2. try_to_unmap: PTEs are converted to swap entries.\n 3. pageout: The folio is written back.\n 4. Swapcache is cleared.\nIf userfaultfd_move() occurs in the window between steps 2 and 4,\nafter the swap PTE has been moved to the destination, accessing the\ndestination triggers do_swap_page(), which may locate the folio in\nthe swapcache. However, since the folio's index has not been updated\nto match the destination VMA, do_swap_page() will detect a mismatch.\n\nThis can result in two critical issues depending on the system\nconfiguration.\n\nIf KSM is disabled, both small and large folios can trigger a BUG\nduring the add_rmap operation due to:\n\n page_pgoff(folio, page) != linear_page_index(vma, address)\n\n[   13.336953] page: refcount:6 mapcount:1 mapping:00000000f43db19c index:0xffffaf150 pfn:0x4667c\n[   13.337520] head: order:2 mapcount:1 entire_mapcount:0 nr_pages_mapped:1 pincount:0\n[   13.337716] memcg:ffff00000405f000\n[   13.337849] anon flags: 0x3fffc0000020459(locked|uptodate|dirty|owner_priv_1|head|swapbacked|node=0|zone=0|lastcpupid=0xffff)\n[   13.338630] raw: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361\n[   13.338831] raw: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000\n[   13.339031] head: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361\n[   13.339204] head: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000\n[   13.339375] head: 03fffc0000000202 fffffdffc0199f01 ffffffff00000000 0000000000000001\n[   13.339546] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000\n[   13.339736] page dumped because: VM_BUG_ON_PAGE(page_pgoff(folio, page) != linear_page_index(vma, address))\n[   13.340190] ------------[ cut here ]------------\n[   13.340316] kernel BUG at mm/rmap.c:1380!\n[   13.340683] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n[   13.340969] Modules linked in:\n[   13.341257] CPU: 1 UID: 0 PID: 107 Comm: a.out Not tainted 6.14.0-rc3-gcf42737e247a-dirty #299\n[   13.341470] Hardware name: linux,dummy-virt (DT)\n[   13.341671] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[   13.341815] pc : __page_check_anon_rmap+0xa0/0xb0\n[   13.341920] lr : __page_check_anon_rmap+0xa0/0xb0\n[   13.342018] sp : ffff80008752bb20\n[   13.342093] x29: ffff80008752bb20 x28: fffffdffc0199f00 x27: 0000000000000001\n[   13.342404] x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000001\n[   13.342575] x23: 0000ffffaf0d0000 x22: 0000ffffaf0d0000 x21: fffffdffc0199f00\n[   13.342731] x20: fffffdffc0199f00 x19: ffff000006210700 x18: 00000000ffffffff\n[   13.342881] x17: 6c203d2120296567 x16: 6170202c6f696c6f x15: 662866666f67705f\n[   13.343033] x14: 6567617028454741 x13: 2929737365726464 x12: ffff800083728ab0\n[   13.343183] x11: ffff800082996bf8 x10: 0000000000000fd7 x9 : ffff80008011bc40\n[   13.343351] x8 : 0000000000017fe8 x7 : 00000000fffff000 x6 : ffff8000829eebf8\n[   13.343498] x5 : c0000000fffff000 x4 : 0000000000000000 x3 : 0000000000000000\n[   13.343645] x2 : 0000000000000000 x1 : ffff0000062db980 x0 : 000000000000005f\n[   13.343876] Call trace:\n[   13.344045]  __page_check_anon_rmap+0xa0/0xb0 (P)\n[   13.344234]  folio_add_anon_rmap_ptes+0x22c/0x320\n[   13.344333]  do_swap_page+0x1060/0x1400\n[   13.344417]  __handl\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/userfaultfd.c"],"versions":[{"version":"adef440691bab824e39c1b17382322d195e1fab0","lessThan":"4e9507246298fd6f1ca7bb42ef01a6e34fb93684","status":"affected","versionType":"git"},{"version":"adef440691bab824e39c1b17382322d195e1fab0","lessThan":"b1e11bd86c0943bb7624efebdc384340a50ad683","status":"affected","versionType":"git"},{"version":"adef440691bab824e39c1b17382322d195e1fab0","lessThan":"c50f8e6053b0503375c2975bf47f182445aebb4c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/userfaultfd.c"],"versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","status":"unaffected","versionType":"semver"},{"version":"6.12.20","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.8","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.12.20"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.13.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4e9507246298fd6f1ca7bb42ef01a6e34fb93684"},{"url":"https://git.kernel.org/stable/c/b1e11bd86c0943bb7624efebdc384340a50ad683"},{"url":"https://git.kernel.org/stable/c/c50f8e6053b0503375c2975bf47f182445aebb4c"}],"title":"mm: fix kernel BUG when userfaultfd_move encounters swapcache","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-362","lang":"en","description":"CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":4.7,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"HIGH","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-10-01T17:14:21.959942Z","id":"CVE-2025-21984","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T17:14:24.524Z"}}]}}