CVE-2025-21696
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-21696
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21696.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-21696
- Downstream
- Related
- Published
- 2025-02-12T13:27:54Z
- Modified
- 2025-10-22T08:31:54.462236Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- mm: clear uffd-wp PTE/PMD state on mremap()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mm: clear uffd-wp PTE/PMD state on mremap()
When mremap()ing a memory region previously registered with userfaultfd as write-protected but without UFFDFEATUREEVENTREMAP, an inconsistency in flag clearing leads to a mismatch between the vma flags (which have uffd-wp cleared) and the pte/pmd flags (which do not have uffd-wp cleared). This mismatch causes a subsequent mprotect(PROTWRITE) to trigger a warning in pagetablecheckpteflags() due to setting the pte to writable while uffd-wp is still set.
Fix this by always explicitly clearing the uffd-wp pte/pmd flags on any such mremap() so that the values are consistent with the existing clearing of VMUFFDWP. Be careful to clear the logical flag regardless of its physical form; a PTE bit, a swap PTE bit, or a PTE marker. Cover PTE, huge PMD and hugetlb paths.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced63b2d4174c4ad1f40b48d7138e71bcb564c1fe03Fixed310ac886d68de661c3a334198d8604b722d7fdf8
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced63b2d4174c4ad1f40b48d7138e71bcb564c1fe03Fixed0cef0bb836e3cfe00f08f9606c72abd72fe78ca3
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@310ac886d68de661c3a334198d8604b722d7fdf8",
"target": {
"function": "move_ptes",
"file": "mm/mremap.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-013ac6af",
"signature_type": "Function",
"digest": {
"length": 1208.0,
"function_hash": "236977285983785899620535476934688271009"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@310ac886d68de661c3a334198d8604b722d7fdf8",
"target": {
"file": "mm/hugetlb.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-03e99aac",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"25842114185487299857265983642391716077",
"283202145690778682205889966677599971782",
"1126880549686419687480597959488351932",
"159953546146322371939794924619458022528",
"251789530843864452737865912197023686358",
"33484173707173575315223521318948967075",
"264310326518866034983334344500519070563",
"45174390059216371439901562844392836823"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0cef0bb836e3cfe00f08f9606c72abd72fe78ca3",
"target": {
"file": "include/linux/userfaultfd_k.h"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-05d020e2",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"122496953266106657411296278150343235011",
"97646567325986264998455196834339787648",
"303134716301366665141759707499190762182",
"111429716191227378384538057677408244665",
"37124437733065523744626765438005028683",
"269896746848011924705202535478236247024"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@310ac886d68de661c3a334198d8604b722d7fdf8",
"target": {
"function": "move_huge_pte",
"file": "mm/hugetlb.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-0dc309ea",
"signature_type": "Function",
"digest": {
"length": 528.0,
"function_hash": "25000743885793043519079084991761688283"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0cef0bb836e3cfe00f08f9606c72abd72fe78ca3",
"target": {
"function": "move_huge_pte",
"file": "mm/hugetlb.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-0ee776e3",
"signature_type": "Function",
"digest": {
"length": 528.0,
"function_hash": "25000743885793043519079084991761688283"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@310ac886d68de661c3a334198d8604b722d7fdf8",
"target": {
"function": "move_normal_pud",
"file": "mm/mremap.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-29a300e4",
"signature_type": "Function",
"digest": {
"length": 657.0,
"function_hash": "116646138050024284335220658378814236583"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0cef0bb836e3cfe00f08f9606c72abd72fe78ca3",
"target": {
"file": "mm/huge_memory.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-2fbbfb1f",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"91936663029407752367720425455572430786",
"289695046339000709935878581016054217476",
"95031663997129128183644384946199459791",
"75603698926618389534692407574612787939",
"75390098543085922742325765452291878611",
"225355819055729223206047935745585168222",
"303194006010623952293019741748162955319"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@310ac886d68de661c3a334198d8604b722d7fdf8",
"target": {
"file": "mm/mremap.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-455954da",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"285331956068422426821364071296164100856",
"303263670064760027164580851423941003889",
"179568766286867245346198615141208561718",
"1778323555658950331150022930673110629",
"218141713657156208584777354509506017059",
"93891877448246695382110314337423251804",
"146893735436428800983312940882824895790",
"104434984268440644783913251904285434208",
"220108759961020368734651141979724048901",
"330609615285100139244318045395130620478",
"137586252339255593434059259461491086792",
"76540239746408621566418371452237330464",
"72077477271127323564964972754895758269",
"81625688981858205294951127328772885772"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@310ac886d68de661c3a334198d8604b722d7fdf8",
"target": {
"file": "mm/huge_memory.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-4beaff4e",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"91936663029407752367720425455572430786",
"289695046339000709935878581016054217476",
"95031663997129128183644384946199459791",
"75603698926618389534692407574612787939",
"75390098543085922742325765452291878611",
"225355819055729223206047935745585168222",
"303194006010623952293019741748162955319"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@310ac886d68de661c3a334198d8604b722d7fdf8",
"target": {
"function": "move_huge_pmd",
"file": "mm/huge_memory.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-55d4acd4",
"signature_type": "Function",
"digest": {
"length": 873.0,
"function_hash": "20385993018323934398546413385871146379"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0cef0bb836e3cfe00f08f9606c72abd72fe78ca3",
"target": {
"file": "mm/hugetlb.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-57c29705",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"25842114185487299857265983642391716077",
"283202145690778682205889966677599971782",
"1126880549686419687480597959488351932",
"159953546146322371939794924619458022528",
"251789530843864452737865912197023686358",
"33484173707173575315223521318948967075",
"264310326518866034983334344500519070563",
"45174390059216371439901562844392836823"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@310ac886d68de661c3a334198d8604b722d7fdf8",
"target": {
"file": "include/linux/userfaultfd_k.h"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-9acb8c50",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"122496953266106657411296278150343235011",
"97646567325986264998455196834339787648",
"303134716301366665141759707499190762182",
"111429716191227378384538057677408244665",
"37124437733065523744626765438005028683",
"269896746848011924705202535478236247024"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0cef0bb836e3cfe00f08f9606c72abd72fe78ca3",
"target": {
"function": "move_ptes",
"file": "mm/mremap.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-abbe7190",
"signature_type": "Function",
"digest": {
"length": 1228.0,
"function_hash": "316861109032863551341186972360618216868"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@310ac886d68de661c3a334198d8604b722d7fdf8",
"target": {
"function": "move_normal_pmd",
"file": "mm/mremap.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-bc4d01da",
"signature_type": "Function",
"digest": {
"length": 779.0,
"function_hash": "18486648587798982774578673734504010103"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0cef0bb836e3cfe00f08f9606c72abd72fe78ca3",
"target": {
"function": "move_normal_pmd",
"file": "mm/mremap.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-ca1181ac",
"signature_type": "Function",
"digest": {
"length": 779.0,
"function_hash": "18486648587798982774578673734504010103"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0cef0bb836e3cfe00f08f9606c72abd72fe78ca3",
"target": {
"function": "move_huge_pmd",
"file": "mm/huge_memory.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-e0bc724a",
"signature_type": "Function",
"digest": {
"length": 873.0,
"function_hash": "20385993018323934398546413385871146379"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0cef0bb836e3cfe00f08f9606c72abd72fe78ca3",
"target": {
"file": "mm/mremap.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-f3e805f9",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"285331956068422426821364071296164100856",
"303263670064760027164580851423941003889",
"179568766286867245346198615141208561718",
"229550621851677837860588493776218675389",
"218141713657156208584777354509506017059",
"93891877448246695382110314337423251804",
"146893735436428800983312940882824895790",
"104434984268440644783913251904285434208",
"220108759961020368734651141979724048901",
"330609615285100139244318045395130620478",
"137586252339255593434059259461491086792",
"76540239746408621566418371452237330464",
"72077477271127323564964972754895758269",
"81625688981858205294951127328772885772"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0cef0bb836e3cfe00f08f9606c72abd72fe78ca3",
"target": {
"function": "move_normal_pud",
"file": "mm/mremap.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-21696-fc1ba0e2",
"signature_type": "Function",
"digest": {
"length": 657.0,
"function_hash": "116646138050024284335220658378814236583"
}
}
]