CVE-2025-39961

EPSS 0.03%
Veröffentlicht 09.10.2025 12:13:22
Zuletzt bearbeitet 09.10.2025 15:50:04
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

iommu/amd/pgtbl: Fix possible race while increase page table level

The AMD IOMMU host page table implementation supports dynamic page table levels
(up to 6 levels), starting with a 3-level configuration that expands based on
IOVA address. The kernel maintains a root pointer and current page table level
to enable proper page table walks in alloc_pte()/fetch_pte() operations.

The IOMMU IOVA allocator initially starts with 32-bit address and onces its
exhuasted it switches to 64-bit address (max address is determined based
on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU
driver increases page table level.

But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads
pgtable->[root/mode] without lock. So its possible that in exteme corner case,
when increase_address_space() is updating pgtable->[root/mode], fetch_pte()
reads wrong page table level (pgtable->mode). It does compare the value with
level encoded in page table and returns NULL. This will result is
iommu_unmap ops to fail and upper layer may retry/log WARN_ON.

CPU 0                                         CPU 1
------                                       ------
map pages                                    unmap pages
alloc_pte() -> increase_address_space()      iommu_v1_unmap_pages() -> fetch_pte()
  pgtable->root = pte (new root value)
                                             READ pgtable->[mode/root]
					       Reads new root, old mode
  Updates mode (pgtable->mode += 1)

Since Page table level updates are infrequent and already synchronized with a
spinlock, implement seqcount to enable lock-free read operations on the read path.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < 075abf0b1a958acfbea2435003d228e738e90346

Version 754265bcab78a9014f0f99cd35e0d610fcd7dfa7

Status affected

Version < cd92c8ab336c3a633d46e6f35ebcd3509ae7db3b

Version 754265bcab78a9014f0f99cd35e0d610fcd7dfa7

Status affected

Version < 7d462bdecb7d9c32934dab44aaeb7ea7d73a27a2

Version 754265bcab78a9014f0f99cd35e0d610fcd7dfa7

Status affected

Version < 1e56310b40fd2e7e0b9493da9ff488af145bdd0c

Version 754265bcab78a9014f0f99cd35e0d610fcd7dfa7

Status affected

Version 6fb92f18555a7b8e085267d513612dc0ff9a5360

Status affected

Version b15bf74405faa1a65025eb8a6eb337e140e5250a

Status affected

Version 0d50f7b1e8c80a8c20db5049e269468c059b0378

Status affected

Version 785ca708a908b9c596ede852470ba28b8dc3e40b

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 5.3

Status affected

Version < 5.3

Version 0

Status unaffected

Version <= 6.6.*

Version 6.6.108

Status unaffected

Version <= 6.12.*

Version 6.12.49

Status unaffected

Version <= 6.16.*

Version 6.16.9

Status unaffected

Version <= *

Version 6.17

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.066

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

https://git.kernel.org/stable/c/075abf0b1a958acfbea2435003d228e738e90346

https://git.kernel.org/stable/c/cd92c8ab336c3a633d46e6f35ebcd3509ae7db3b

https://git.kernel.org/stable/c/7d462bdecb7d9c32934dab44aaeb7ea7d73a27a2

https://git.kernel.org/stable/c/1e56310b40fd2e7e0b9493da9ff488af145bdd0c

https://nvd.nist.gov/vuln/detail/CVE-2025-39961

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-39961

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-39961

EUVD