VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 15, 2025· Updated Apr 15, 2026

CVE-2025-39992

CVE-2025-39992

Description

In the Linux kernel, the following vulnerability has been resolved:

mm: swap: check for stable address space before operating on the VMA

It is possible to hit a zero entry while traversing the vmas in unuse_mm() called from swapoff path and accessing it causes the OOPS:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000446--> Loading the memory from offset 0x40 on the XA_ZERO_ENTRY as address. Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault

The issue is manifested from the below race between the fork() on a process and swapoff: fork(dup_mmap()) swapoff(unuse_mm) --------------- ----------------- 1) Identical mtree is built using __mt_dup().

2) copy_pte_range()--> copy_nonpresent_pte(): The dst mm is added into the mmlist to be visible to the swapoff operation.

3) Fatal signal is sent to the parent process(which is the current during the fork) thus skip the duplication of the vmas and mark the vma range with XA_ZERO_ENTRY as a marker for this process that helps during exit_mmap().

4) swapoff is tried on the 'mm' added to the 'mmlist' as part of the 2.

5) unuse_mm(), that iterates through the vma's of this 'mm' will hit the non-NULL zero entry and operating on this zero entry as a vma is resulting into the oops.

The proper fix would be around not exposing this partially-valid tree to others when droping the mmap lock, which is being solved with [1]. A simpler solution would be checking for MMF_UNSTABLE, as it is set if mm_struct is not fully initialized in dup_mmap().

Thanks to Liam/Lorenzo/David for all the suggestions in fixing this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in Linux kernel's swapoff path can cause a NULL pointer dereference when a partially-initialized VMA tree is accessed.

Vulnerability

Overview

CVE-2025-39992 is a race condition in the Linux kernel's memory management subsystem, specifically in the swapoff path. The bug occurs when unuse_mm() traverses the virtual memory area (VMA) tree of a process that is concurrently undergoing fork(). During fork, if a fatal signal is sent to the parent process, the VMA tree may contain XA_ZERO_ENTRY markers instead of valid VMA pointers. When swapoff later iterates over this tree via unuse_mm(), it attempts to dereference the zero entry as a VMA, leading to a kernel NULL pointer dereference and an OOPS [1].

Exploitation

Conditions

The vulnerability is triggered by a specific race between fork() (specifically dup_mmap()) and swapoff. The fork process builds an identical maple tree (mtree) using __mt_dup(), then copies page tables. During copy_nonpresent_pte(), the destination mm is added to the mmlist, making it visible to swapoff. If a fatal signal is sent to the parent before VMA duplication completes, the VMA range is marked with XA_ZERO_ENTRY as a placeholder for exit_mmap(). Swapoff, running concurrently, then iterates over this partially-valid tree and hits the zero entry, causing the crash [1].

Impact

An attacker who can trigger swapoff (e.g., by exhausting swap space or through privileged operations) and induce the race condition can cause a kernel NULL pointer dereference, resulting in a system crash (denial of service). The vulnerability does not require special privileges beyond those needed to trigger swapoff, but the race window is narrow. No code execution or privilege escalation is indicated [1].

Mitigation

The proper fix involves not exposing the partially-valid tree to other operations when the mmap lock is dropped, as addressed in a separate commit [1]. A simpler workaround is to check for the MMF_UNSTABLE flag, which is set when the mm_struct is not fully initialized during dup_mmap(). The kernel community has acknowledged the issue and recommends applying the stable kernel patch referenced in the advisory [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
9cddad3b26da
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e4e99d69b8b8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
1367da7eb875
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
4e5f060d7347
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.