CVE-2025-38686

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38686
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38686.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38686
Downstream
Published
2025-09-04T15:32:40.771Z
Modified
2025-11-20T10:15:30.537626Z
Summary
userfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry
Details

In the Linux kernel, the following vulnerability has been resolved:

userfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry

When UFFDIOMOVE encounters a migration PMD entry, it proceeds with obtaining a folio and accessing it even though the entry is swpentryt. Add the missing check and let splithuge_pmd() handle migration entries. While at it also remove unnecessary folio check.

[surenb@google.com: remove extra folio check, per David]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
adef440691bab824e39c1b17382322d195e1fab0
Fixed
bb81c18dbd42650c844e160cafa7cbb20243a96a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
adef440691bab824e39c1b17382322d195e1fab0
Fixed
1202abad7a7ccd28c426d2844771a387b07629a4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
adef440691bab824e39c1b17382322d195e1fab0
Fixed
7f1101a0a181243ad587ececdffc4845f035549f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
adef440691bab824e39c1b17382322d195e1fab0
Fixed
aba6faec0103ed8f169be8dce2ead41fcb689446

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.10
v6.15.2
v6.15.3
v6.15.4
v6.15.5
v6.15.6
v6.15.7
v6.15.8
v6.15.9
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.16.1
v6.7
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "id": "CVE-2025-38686-4b6a5016",
        "target": {
            "file": "mm/userfaultfd.c",
            "function": "move_pages"
        },
        "digest": {
            "length": 2741.0,
            "function_hash": "222244079681892932817046103438695276640"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f1101a0a181243ad587ececdffc4845f035549f",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2025-38686-63a8733f",
        "target": {
            "file": "mm/userfaultfd.c",
            "function": "move_pages"
        },
        "digest": {
            "length": 2741.0,
            "function_hash": "222244079681892932817046103438695276640"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1202abad7a7ccd28c426d2844771a387b07629a4",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2025-38686-6d97eda5",
        "target": {
            "file": "mm/userfaultfd.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "76265045033513221387792500184336823614",
                "10319897036879182590100141276004763823",
                "289091684188587031646123147849737831438",
                "116241920203780549549085342678688892090",
                "76881172505675602965390578499454019316",
                "270453985868186050354423131679423928594",
                "289590879374708904209278326023134497032",
                "19790862747922323259221564165958107915",
                "194281171052284298808552699449716007072"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1202abad7a7ccd28c426d2844771a387b07629a4",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2025-38686-7d11a729",
        "target": {
            "file": "mm/userfaultfd.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "76265045033513221387792500184336823614",
                "10319897036879182590100141276004763823",
                "289091684188587031646123147849737831438",
                "116241920203780549549085342678688892090",
                "76881172505675602965390578499454019316",
                "270453985868186050354423131679423928594",
                "289590879374708904209278326023134497032",
                "19790862747922323259221564165958107915",
                "194281171052284298808552699449716007072"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f1101a0a181243ad587ececdffc4845f035549f",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2025-38686-87cf3524",
        "target": {
            "file": "mm/userfaultfd.c",
            "function": "move_pages"
        },
        "digest": {
            "length": 2741.0,
            "function_hash": "222244079681892932817046103438695276640"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb81c18dbd42650c844e160cafa7cbb20243a96a",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2025-38686-c5994d38",
        "target": {
            "file": "mm/userfaultfd.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "76265045033513221387792500184336823614",
                "10319897036879182590100141276004763823",
                "289091684188587031646123147849737831438",
                "116241920203780549549085342678688892090",
                "76881172505675602965390578499454019316",
                "270453985868186050354423131679423928594",
                "289590879374708904209278326023134497032",
                "19790862747922323259221564165958107915",
                "194281171052284298808552699449716007072"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb81c18dbd42650c844e160cafa7cbb20243a96a",
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.12.43
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.11
Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.16.2