{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39883","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.144Z","datePublished":"2025-09-23T06:00:51.548Z","dateUpdated":"2026-05-11T21:38:16.305Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:38:16.305Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory\n\nWhen I did memory failure tests, below panic occurs:\n\npage dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))\nkernel BUG at include/linux/page-flags.h:616!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS:  00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nCall Trace:\n <TASK>\n unpoison_memory+0x2f3/0x590\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xd5/0x540\n ksys_write+0x64/0xe0\n do_syscall_64+0xb9/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f08f0314887\nRSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887\nRDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001\nRBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009\nR13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00\n </TASK>\nModules linked in: hwpoison_inject\n---[ end trace 0000000000000000 ]---\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS:  00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n---[ end Kernel panic - not syncing: Fatal exception ]---\n\nThe root cause is that unpoison_memory() tries to check the PG_HWPoison\nflags of an uninitialized page.  So VM_BUG_ON_PAGE(PagePoisoned(page)) is\ntriggered.  This can be reproduced by below steps:\n\n1.Offline memory block:\n\n echo offline > /sys/devices/system/memory/memory12/state\n\n2.Get offlined memory pfn:\n\n page-types -b n -rlN\n\n3.Write pfn to unpoison-pfn\n\n echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn\n\nThis scenario can be identified by pfn_to_online_page() returning NULL. \nAnd ZONE_DEVICE pages are never expected, so we can simply fail if\npfn_to_online_page() == NULL to fix the bug."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/memory-failure.c"],"versions":[{"version":"f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe","lessThan":"8e01ea186a52c90694c08a9ff57bea1b0e78256a","status":"affected","versionType":"git"},{"version":"f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe","lessThan":"fb65803ccff37cf9123c50c1c02efd1ed73c4ed5","status":"affected","versionType":"git"},{"version":"f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe","lessThan":"99f7048957f5ae3cee1c01189147e73a9a96de02","status":"affected","versionType":"git"},{"version":"f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe","lessThan":"e4ec6def5643a1c9511115b3884eb879572294c6","status":"affected","versionType":"git"},{"version":"f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe","lessThan":"3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a","status":"affected","versionType":"git"},{"version":"f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe","lessThan":"7618fd443aa4cfa553a64cacf5721581653ee7b0","status":"affected","versionType":"git"},{"version":"f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe","lessThan":"63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96","status":"affected","versionType":"git"},{"version":"f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe","lessThan":"d613f53c83ec47089c4e25859d5e8e0359f6f8da","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/memory-failure.c"],"versions":[{"version":"4.13","status":"affected"},{"version":"0","lessThan":"4.13","status":"unaffected","versionType":"semver"},{"version":"5.4.300","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.245","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.194","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.153","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.107","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.48","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.8","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"5.4.300"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"5.10.245"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"5.15.194"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.1.153"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.6.107"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.12.48"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.16.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8e01ea186a52c90694c08a9ff57bea1b0e78256a"},{"url":"https://git.kernel.org/stable/c/fb65803ccff37cf9123c50c1c02efd1ed73c4ed5"},{"url":"https://git.kernel.org/stable/c/99f7048957f5ae3cee1c01189147e73a9a96de02"},{"url":"https://git.kernel.org/stable/c/e4ec6def5643a1c9511115b3884eb879572294c6"},{"url":"https://git.kernel.org/stable/c/3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a"},{"url":"https://git.kernel.org/stable/c/7618fd443aa4cfa553a64cacf5721581653ee7b0"},{"url":"https://git.kernel.org/stable/c/63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96"},{"url":"https://git.kernel.org/stable/c/d613f53c83ec47089c4e25859d5e8e0359f6f8da"}],"title":"mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:44:24.900Z"}}]}}