CVE-2025-38447

EUVD-2025-22694

25.07.2025, 16:15

In the Linux kernel, the following vulnerability has been resolved:

mm/rmap: fix potential out-of-bounds page table access during batched unmap

As pointed out by David[1], the batched unmap logic in
try_to_unmap_one() may read past the end of a PTE table when a large
folio's PTE mappings are not fully contained within a single page
table.

While this scenario might be rare, an issue triggerable from userspace
must be fixed regardless of its likelihood.  This patch fixes the
out-of-bounds access by refactoring the logic into a new helper,
folio_unmap_pte_batch().

The new helper correctly calculates the safe batch size by capping the
scan at both the VMA and PMD boundaries.  To simplify the code, it also
supports partial batching (i.e., any number of pages from 1 up to the
calculated safe maximum), as there is no strong reason to special-case
for fully mapped folios.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.15 ≤ 𝑥 < 6.15.7
linux	linux_kernel	6.16:rc1
linux	linux_kernel	6.16:rc2
linux	linux_kernel	6.16:rc3
linux	linux_kernel	6.16:rc4
linux	linux_kernel	6.16:rc5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.159-1 fixed
bookworm (security)	6.1.162-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.249-1 fixed
forky	6.18.9-1 fixed
sid	6.18.12-1 fixed
trixie	6.12.63-1 fixed
trixie (security)	6.12.73-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	not-affected
trusty	not-affected
xenial	not-affected

linux-hwe

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	not-affected

linux-hwe-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-hwe-5.8

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-hwe-5.11

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-hwe-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-hwe-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-hwe-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-hwe-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-hwe-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-hwe-6.11

bionic	dne
focal	dne
jammy	dne
noble	ignored
plucky	dne
trusty	dne
xenial	dne

linux-hwe-6.14

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-hwe-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	ignored

linux-lts-xenial

bionic	dne
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	not-affected
xenial	dne

linux-kvm

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	not-affected

linux-allwinner-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws-5.8

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws-5.11

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws-6.14

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-aws-hwe

bionic	dne
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	not-affected

linux-azure

bionic	ignored
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	not-affected
trusty	not-affected
xenial	not-affected

linux-azure-4.15

bionic	not-affected
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp-5.11

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-5.8

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-5.11

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-6.11

bionic	dne
focal	dne
jammy	dne
noble	ignored
plucky	dne
trusty	dne
xenial	dne

linux-azure-fde

bionic	dne
focal	ignored
jammy	not-affected
noble	not-affected
plucky	not-affected
trusty	dne
xenial	dne

linux-azure-fde-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-fde-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-fde-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-nvidia

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-bluefield

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	not-affected

linux-aws-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-azure-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp

bionic	ignored
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	not-affected
trusty	dne
xenial	not-affected

linux-gcp-4.15

bionic	not-affected
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp-5.8

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gcp-6.11

bionic	dne
focal	dne
jammy	dne
noble	ignored
plucky	dne
trusty	dne
xenial	dne

linux-gcp-6.14

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-gke

bionic	dne
focal	ignored
jammy	not-affected
noble	not-affected
plucky	dne
trusty	dne
xenial	ignored

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gke-5.15

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gkeop

bionic	dne
focal	ignored
jammy	not-affected
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-gkeop-5.15

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-ibm

bionic	dne
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-ibm-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-ibm-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-ibm-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-intel-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-intel-iotg

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-intel-iotg-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-iot

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-intel-iot-realtime

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-lowlatency

bionic	dne
focal	dne
jammy	not-affected
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.11

bionic	dne
focal	dne
jammy	dne
noble	ignored
plucky	dne
trusty	dne
xenial	dne

linux-nvidia

bionic	dne
focal	dne
jammy	not-affected
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-nvidia-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-nvidia-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-nvidia-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-nvidia-lowlatency

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-nvidia-tegra

bionic	dne
focal	dne
jammy	not-affected
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-nvidia-tegra-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-nvidia-tegra-igx

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oracle-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oracle-5.8

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oracle-5.11

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oracle-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oracle-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oracle-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oracle-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oracle-6.14

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-oem

bionic	ignored
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	ignored

linux-oem-5.6

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oem-5.10

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oem-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oem-5.14

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oem-5.17

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oem-6.0

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oem-6.1

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oem-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-oem-6.8

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-oem-6.11

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-oem-6.14

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-raspi2

bionic	ignored
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	ignored

linux-raspi-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-raspi-realtime

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-riscv

bionic	dne
focal	ignored
jammy	ignored
noble	ignored
plucky	not-affected
trusty	dne
xenial	dne

linux-riscv-5.8

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-riscv-5.11

bionic	dne
focal	ignored
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-riscv-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-riscv-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-riscv-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-riscv-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-riscv-6.14

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-starfive-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-starfive-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-starfive-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-xilinx-zynqmp

bionic	dne
focal	not-affected
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-aws

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	not-affected
trusty	not-affected
xenial	not-affected

linux-oracle

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	not-affected
trusty	dne
xenial	not-affected

linux-raspi

bionic	dne
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	not-affected
trusty	dne
xenial	dne

linux-realtime

bionic	dne
focal	dne
jammy	not-affected
noble	not-affected
plucky	not-affected
trusty	dne
xenial	dne

linux-intel

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-nvidia-6.11

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

linux-realtime-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
plucky	dne
trusty	dne
xenial	dne

linux-realtime-6.14

bionic	dne
focal	dne
jammy	dne
noble	not-affected
plucky	dne
trusty	dne
xenial	dne

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://git.kernel.org/stable/c/510fe9c15d07e765d96be9a9dc37e5057c6c09f4

https://git.kernel.org/stable/c/ddd05742b45b083975a0855ef6ebbf88cf1f532a