{
"threat_severity" : "Moderate",
"public_date" : "2025-09-23T00:00:00Z",
"bugzilla" : {
"description" : "kernel: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory",
"id" : "2397553",
"url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2397553"
},
"cvss3" : {
"cvss3_base_score" : "7.0",
"cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status" : "verified"
},
"cwe" : "CWE-416",
"details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory\nWhen I did memory failure tests, below panic occurs:\npage dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))\nkernel BUG at include/linux/page-flags.h:616!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nCall Trace:\n\nunpoison_memory+0x2f3/0x590\nsimple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\ndebugfs_attr_write+0x42/0x60\nfull_proxy_write+0x5b/0x80\nvfs_write+0xd5/0x540\nksys_write+0x64/0xe0\ndo_syscall_64+0xb9/0x1d0\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f08f0314887\nRSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887\nRDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001\nRBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009\nR13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00\n\nModules linked in: hwpoison_inject\n---[ end trace 0000000000000000 ]---\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n---[ end Kernel panic - not syncing: Fatal exception ]---\nThe root cause is that unpoison_memory() tries to check the PG_HWPoison\nflags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is\ntriggered. This can be reproduced by below steps:\n1.Offline memory block:\necho offline > /sys/devices/system/memory/memory12/state\n2.Get offlined memory pfn:\npage-types -b n -rlN\n3.Write pfn to unpoison-pfn\necho > /sys/kernel/debug/hwpoison/unpoison-pfn\nThis scenario can be identified by pfn_to_online_page() returning NULL. \nAnd ZONE_DEVICE pages are never expected, so we can simply fail if\npfn_to_online_page() == NULL to fix the bug.", "A use-after-free memory bug exists in the linux kernel, such that unpoison_memory() tries to check the PG_HWPoison\nflags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is triggered, leading to damage to the system availability and integrity." ],
"affected_release" : [ {
"product_name" : "Red Hat Enterprise Linux 10",
"release_date" : "2025-12-01T00:00:00Z",
"advisory" : "RHSA-2025:22395",
"cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
"package" : "kernel-0:6.12.0-124.16.1.el10_1"
}, {
"product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
"release_date" : "2026-01-08T00:00:00Z",
"advisory" : "RHSA-2026:0271",
"cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
"package" : "kernel-0:6.12.0-55.52.1.el10_0"
}, {
"product_name" : "Red Hat Enterprise Linux 8",
"release_date" : "2025-12-01T00:00:00Z",
"advisory" : "RHSA-2025:22387",
"cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
"package" : "kernel-rt-0:4.18.0-553.87.1.rt7.428.el8_10"
}, {
"product_name" : "Red Hat Enterprise Linux 8",
"release_date" : "2025-12-01T00:00:00Z",
"advisory" : "RHSA-2025:22388",
"cpe" : "cpe:/o:redhat:enterprise_linux:8",
"package" : "kernel-0:4.18.0-553.87.1.el8_10"
}, {
"product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
"release_date" : "2025-12-17T00:00:00Z",
"advisory" : "RHSA-2025:23445",
"cpe" : "cpe:/o:redhat:rhel_aus:8.2",
"package" : "kernel-0:4.18.0-193.178.1.el8_2"
}, {
"product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
"release_date" : "2026-01-14T00:00:00Z",
"advisory" : "RHSA-2026:0533",
"cpe" : "cpe:/o:redhat:rhel_aus:8.4",
"package" : "kernel-0:4.18.0-305.183.1.el8_4"
}, {
"product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
"release_date" : "2026-01-14T00:00:00Z",
"advisory" : "RHSA-2026:0533",
"cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
"package" : "kernel-0:4.18.0-305.183.1.el8_4"
}, {
"product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
"release_date" : "2025-11-25T00:00:00Z",
"advisory" : "RHSA-2025:22006",
"cpe" : "cpe:/o:redhat:rhel_aus:8.6",
"package" : "kernel-0:4.18.0-372.170.1.el8_6"
}, {
"product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
"release_date" : "2025-11-25T00:00:00Z",
"advisory" : "RHSA-2025:22006",
"cpe" : "cpe:/o:redhat:rhel_tus:8.6",
"package" : "kernel-0:4.18.0-372.170.1.el8_6"
}, {
"product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
"release_date" : "2025-11-25T00:00:00Z",
"advisory" : "RHSA-2025:22006",
"cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
"package" : "kernel-0:4.18.0-372.170.1.el8_6"
}, {
"product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
"release_date" : "2025-11-25T00:00:00Z",
"advisory" : "RHSA-2025:22072",
"cpe" : "cpe:/o:redhat:rhel_tus:8.8",
"package" : "kernel-0:4.18.0-477.120.1.el8_8"
}, {
"product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
"release_date" : "2025-11-25T00:00:00Z",
"advisory" : "RHSA-2025:22072",
"cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
"package" : "kernel-0:4.18.0-477.120.1.el8_8"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"release_date" : "2026-01-12T00:00:00Z",
"advisory" : "RHSA-2026:0445",
"cpe" : "cpe:/a:redhat:enterprise_linux:9",
"package" : "kernel-0:5.14.0-611.20.1.el9_7"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"release_date" : "2026-01-12T00:00:00Z",
"advisory" : "RHSA-2026:0445",
"cpe" : "cpe:/o:redhat:enterprise_linux:9",
"package" : "kernel-0:5.14.0-611.20.1.el9_7"
}, {
"product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
"release_date" : "2025-12-10T00:00:00Z",
"advisory" : "RHSA-2025:22999",
"cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
"package" : "kernel-0:5.14.0-70.157.1.el9_0"
}, {
"product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
"release_date" : "2025-12-10T00:00:00Z",
"advisory" : "RHSA-2025:22997",
"cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
"package" : "kernel-rt-0:5.14.0-70.157.1.rt21.229.el9_0"
}, {
"product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
"release_date" : "2025-12-10T00:00:00Z",
"advisory" : "RHSA-2025:22996",
"cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
"package" : "kernel-0:5.14.0-284.149.1.el9_2"
}, {
"product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
"release_date" : "2025-12-10T00:00:00Z",
"advisory" : "RHSA-2025:22995",
"cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
"package" : "kernel-rt-0:5.14.0-284.149.1.rt14.434.el9_2"
}, {
"product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
"release_date" : "2025-12-03T00:00:00Z",
"advisory" : "RHSA-2025:22661",
"cpe" : "cpe:/a:redhat:rhel_eus:9.4",
"package" : "kernel-0:5.14.0-427.102.1.el9_4"
}, {
"product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
"release_date" : "2025-12-01T00:00:00Z",
"advisory" : "RHSA-2025:22392",
"cpe" : "cpe:/a:redhat:rhel_eus:9.6",
"package" : "kernel-0:5.14.0-570.69.1.el9_6"
} ],
"package_state" : [ {
"product_name" : "Red Hat Enterprise Linux 6",
"fix_state" : "Out of support scope",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:6"
}, {
"product_name" : "Red Hat Enterprise Linux 7",
"fix_state" : "Not affected",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:7"
}, {
"product_name" : "Red Hat Enterprise Linux 7",
"fix_state" : "Not affected",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:7"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"fix_state" : "Affected",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:9"
} ],
"references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-39883\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39883\nhttps://lore.kernel.org/linux-cve-announce/2025092302-CVE-2025-39883-6015@gregkh/T" ],
"name" : "CVE-2025-39883",
"mitigation" : {
"value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"lang" : "en:us"
},
"csaw" : false
}