CVE-2025-22000

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: drop beyond-EOF folios with the right number of refs When an after-split folio is large and needs to be dropped due to EOF, folio_put_refs(folio, folio_nr_pages(folio)) should be used to drop all page cache refs. Otherwise, the folio will not be freed, causing memory leak. This leak would happen on a filesystem with blocksize > page_size and a truncate is performed, where the blocksize makes folios split to >0 order ones, causing truncated folios not being freed.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/14efb4793519d73fb2902bb0ece319b886e4b4b9	Patch
https://git.kernel.org/stable/c/86368616a9ce51f6b41efa251b6e066893851d67	Patch
https://git.kernel.org/stable/c/92ad820a1f2d95d5a8d6c2bd3f391bbb068a5f9e	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc7::::::

History

No history.

Information

Published : 2025-04-03 08:15

Updated : 2025-10-01 18:15

NVD link : CVE-2025-22000

Mitre link : CVE-2025-22000

CVE.ORG link : CVE-2025-22000

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

{"id": "CVE-2025-22000", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-04-03T08:15:15.483", "references": [{"url": "https://git.kernel.org/stable/c/14efb4793519d73fb2902bb0ece319b886e4b4b9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/86368616a9ce51f6b41efa251b6e066893851d67", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/92ad820a1f2d95d5a8d6c2bd3f391bbb068a5f9e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-401"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: drop beyond-EOF folios with the right number of refs\n\nWhen an after-split folio is large and needs to be dropped due to EOF,\nfolio_put_refs(folio, folio_nr_pages(folio)) should be used to drop all\npage cache refs. Otherwise, the folio will not be freed, causing memory\nleak.\n\nThis leak would happen on a filesystem with blocksize > page_size and a\ntruncate is performed, where the blocksize makes folios split to >0 order\nones, causing truncated folios not being freed."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/huge_memory: se eliminan folios posteriores al fin del archivo con el n\u00famero correcto de referencias. Cuando un folio, tras la divisi\u00f3n, es grande y debe eliminarse debido al fin del archivo, se debe usar folio_put_refs(folio, folio_nr_pages(folio)) para eliminar todas las referencias de la cach\u00e9 de p\u00e1ginas. De lo contrario, el folio no se liberar\u00e1, lo que provocar\u00e1 una fuga de memoria. Esta fuga ocurrir\u00eda en un sistema de archivos con un tama\u00f1o de bloque superior a page_size y se realiza un truncamiento, donde el tama\u00f1o de bloque hace que los folios se dividan a folios de orden superior a 0, lo que impide la liberaci\u00f3n de los folios truncados."}], "lastModified": "2025-10-01T18:15:42.993", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51C9EFED-C087-4682-A533-58A43A67C9F2", "versionEndExcluding": "6.12.21", "versionStartIncluding": "6.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FAECBE4D-58CF-4836-BBAB-5E28B800A778", "versionEndExcluding": "6.13.9", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45B90F6B-BEC7-4D4E-883A-9DBADE021750"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1759FFB7-531C-41B1-9AE1-FD3D80E0D920"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AD948719-8628-4421-A340-1066314BBD4A"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}