CVE-2025-39899

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-39899
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39899.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-39899
Downstream
Published
2025-10-01T07:42:47.100Z
Modified
2026-01-15T03:10:54.682394Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/userfaultfd: fix kmaplocal LIFO ordering for CONFIGHIGHPTE

With CONFIGHIGHPTE on 32-bit ARM, movepagespte() maps PTE pages using kmaplocal_page(), which requires unmapping in Last-In-First-Out order.

The current code maps dstpte first, then srcpte, but unmaps them in the same order (dstpte, srcpte), violating the LIFO requirement. This causes the warning in kunmaplocalindexed():

WARNING: CPU: 0 PID: 604 at mm/highmem.c:622 kunmaplocalindexed+0x178/0x17c addr != _fixtovirt(FIXKMAP_BEGIN + idx)

Fix this by reversing the unmap order to respect LIFO ordering.

This issue follows the same pattern as similar fixes: - commit eca6828403b8 ("crypto: skcipher - fix mismatch between mapping and unmapping order") - commit 8cf57c6df818 ("nilfs2: eliminate staggered calls to kunmap in nilfs_rename")

Both of which addressed the same fundamental requirement that kmap_local operations must follow LIFO ordering.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39899.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
adef440691bab824e39c1b17382322d195e1fab0
Fixed
b051f707018967ea8f697d790a1ed8c443f63812
Fixed
bd1ee62759d0bd4d6b909731c076c230ac89d61e
Fixed
9614d8bee66387501f48718fa306e17f2aa3f2f3

Affected versions

v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.16.1
v6.16.2
v6.16.3
v6.16.4
v6.16.5
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.7
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39899.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.12.46
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.16.6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39899.json"