CVE-2025-68292

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-68292
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68292.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68292
Downstream
Published
2025-12-16T15:06:12.772Z
Modified
2026-03-10T21:50:57.155468Z
Summary
mm/memfd: fix information leak in hugetlb folios
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/memfd: fix information leak in hugetlb folios

When allocating hugetlb folios for memfd, three initialization steps are missing:

  1. Folios are not zeroed, leading to kernel memory disclosure to userspace
  2. Folios are not marked uptodate before adding to page cache
  3. hugetlbfaultmutex is not taken before hugetlbaddtopagecache()

The memfd allocation path bypasses the normal page fault handler (hugetlbnopage) which would handle all of these initialization steps. This is problematic especially for udmabuf use cases where folios are pinned and directly accessed by userspace via DMA.

Fix by matching the initialization pattern used in hugetlbnopage(): - Zero the folio using foliozerouser() which is optimized for huge pages - Mark it uptodate with foliomarkuptodate() - Take hugetlbfaultmutex before adding to page cache to prevent races

The foliozerouser() change also fixes a potential security issue where uninitialized kernel memory could be disclosed to userspace through read() or mmap() operations on the memfd.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68292.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
89c1905d9c140372b7f50ef48f42378cf85d9bc5
Fixed
50b4c1c28733a536d637d2f0401d60bcfef60ef2
Fixed
b09d7c4dc642849d9a96753233c6d00364017fd6
Fixed
de8798965fd0d9a6c47fc2ac57767ec32de12b49

Affected versions

v6.*
v6.10
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.46
v6.12.47
v6.12.48
v6.12.49
v6.12.5
v6.12.50
v6.12.51
v6.12.52
v6.12.53
v6.12.54
v6.12.55
v6.12.56
v6.12.57
v6.12.58
v6.12.59
v6.12.6
v6.12.60
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.17.1
v6.17.10
v6.17.2
v6.17.3
v6.17.4
v6.17.5
v6.17.6
v6.17.7
v6.17.8
v6.17.9
v6.18-rc1
v6.18-rc2
v6.18-rc3
v6.18-rc4
v6.18-rc5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68292.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.12.61
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.17.11

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68292.json"