VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 12, 2025· Updated Apr 15, 2026

CVE-2025-40174

CVE-2025-40174

Description

In the Linux kernel, the following vulnerability has been resolved:

x86/mm: Fix SMP ordering in switch_mm_irqs_off()

Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs.

[ dhansen: merge conflict fixed by Ingo ]

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing memory barrier in Linux kernel's switch_mm_irqs_off() can cause TLB flushes to be missed, leading to incorrect memory mappings.

Vulnerability

In the Linux kernel's x86 memory management code, the function switch_mm_irqs_off() is responsible for switching the memory context during a process context switch. A missing smp_mb() (smp memory barrier) between the store to loaded_mm and the load of tlb_gen means that the ordering guarantees required for correct TLB flushing are not enforced. This allows a scenario where switch_mm() may fail to observe a recent update to tlb_gen from a concurrent flush_tlb_mm_range() operation.

Exploitation

The vulnerability is a CPU memory ordering issue that can be exploited by an unprivileged local attacker. By triggering a race condition between a context switch and a TLB flush on another CPU, the attacker can cause the TLB to retain stale entries. No special authentication or network access is required; the attacker only needs the ability to execute code on the system and induce the necessary timing.

Impact

If the TLB is not properly flushed, the processor may use outdated page table entries. This can lead to incorrect memory accesses, potentially allowing an attacker to read sensitive kernel memory or cause a use-after-free condition. The exact impact depends on the system configuration and the attacker's ability to control the race window.

Mitigation

The issue has been fixed in the Linux kernel stable tree via commits [1] and [2]. Users should update to a kernel version that includes these patches. No workaround is available other than applying the fix.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

2
0fe5e3f5fb75
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
83b0177a6c48
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.