{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38256","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.997Z","datePublished":"2025-07-09T10:42:33.819Z","dateUpdated":"2026-05-11T21:24:16.843Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:24:16.843Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rsrc: fix folio unpinning\n\nsyzbot complains about an unmapping failure:\n\n[  108.070381][   T14] kernel BUG at mm/gup.c:71!\n[  108.070502][   T14] Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP\n[  108.123672][   T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025\n[  108.127458][   T14] Workqueue: iou_exit io_ring_exit_work\n[  108.174205][   T14] Call trace:\n[  108.175649][   T14]  sanity_check_pinned_pages+0x7cc/0x7d0 (P)\n[  108.178138][   T14]  unpin_user_page+0x80/0x10c\n[  108.180189][   T14]  io_release_ubuf+0x84/0xf8\n[  108.182196][   T14]  io_free_rsrc_node+0x250/0x57c\n[  108.184345][   T14]  io_rsrc_data_free+0x148/0x298\n[  108.186493][   T14]  io_sqe_buffers_unregister+0x84/0xa0\n[  108.188991][   T14]  io_ring_ctx_free+0x48/0x480\n[  108.191057][   T14]  io_ring_exit_work+0x764/0x7d8\n[  108.193207][   T14]  process_one_work+0x7e8/0x155c\n[  108.195431][   T14]  worker_thread+0x958/0xed8\n[  108.197561][   T14]  kthread+0x5fc/0x75c\n[  108.199362][   T14]  ret_from_fork+0x10/0x20\n\nWe can pin a tail page of a folio, but then io_uring will try to unpin\nthe head page of the folio. While it should be fine in terms of keeping\nthe page actually alive, mm folks say it's wrong and triggers a debug\nwarning. Use unpin_user_folio() instead of unpin_user_page*.\n\n[axboe: adapt to current tree, massage commit message]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["io_uring/rsrc.c"],"versions":[{"version":"a8edbb424b1391b077407c75d8f5d2ede77aa70d","lessThan":"53fd75f25b223878b5fff14932e3a22f42b54f77","status":"affected","versionType":"git"},{"version":"a8edbb424b1391b077407c75d8f5d2ede77aa70d","lessThan":"11e7b7369e655e6131387b174218d7fa9557b3da","status":"affected","versionType":"git"},{"version":"a8edbb424b1391b077407c75d8f5d2ede77aa70d","lessThan":"5afb4bf9fc62d828647647ec31745083637132e4","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["io_uring/rsrc.c"],"versions":[{"version":"6.12","status":"affected"},{"version":"0","lessThan":"6.12","status":"unaffected","versionType":"semver"},{"version":"6.12.36","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.5","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.15.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/53fd75f25b223878b5fff14932e3a22f42b54f77"},{"url":"https://git.kernel.org/stable/c/11e7b7369e655e6131387b174218d7fa9557b3da"},{"url":"https://git.kernel.org/stable/c/5afb4bf9fc62d828647647ec31745083637132e4"}],"title":"io_uring/rsrc: fix folio unpinning","x_generator":{"engine":"bippy-1.2.0"}}}}