VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 4, 2025· Updated Apr 15, 2026

CVE-2025-40230

CVE-2025-40230

Description

In the Linux kernel, the following vulnerability has been resolved:

mm: prevent poison consumption when splitting THP

When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC.

mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check

The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs.

First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic

[1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process.

[2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page().

[3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page().

[4] Try to map the unused THP to zeropage.

[5] Re-access pages in the hw-poisoned THP in the kernel.

[6] Triggered in-kernel, leading to a panic kernel.

In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page().

As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4].

Thanks to Andrew Zaborowski for his initial work on fixing this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A flaw in the Linux kernel's THP splitting on MCE causes a second in-kernel #MC from reading pages, escalating the machine check from a killable user-space fault to a kernel panic.

Vulnerability

Overview

CVE-2025-40230 is a vulnerability in the Linux kernel's handling of Transparent Huge Pages (THP) during a Machine Check Exception (MCE). When a memory error occurs on a THP mapped to user space on x86, the kernel's memory failure handler splits the THP. The splitting process uses try_to_map_unused_to_zeropage() to identify zero-filled pages by reading pages, but this read triggers a second, in-kernel #MC before the initial MCE handling completes, leading to a kernel panic rather than terminating the affected process [1].

Attack

Vector and Exploitation Context

The bug is triggered by a hardware memory error (e.g., ECC error injection) on a THP that is accessible from user space. No special privileges or authentication are required to trigger the issue—it is a reliability and availability hazard that can be provoked by simulated or real memory faults. The kernel attempts to recover from the first user-space #MC by splitting the THP, but the split operation reads the poison-containing page, causing a second #MC in kernel mode, which is fatal [2].

Impact

An attacker who can cause or corrupt a memory error in a THP (for example, via controlled hardware fault injection or by exploiting another vulnerability to flip bits in a THP) could force the kernel to panic, resulting in a denial of service of the entire system. The proper behavior should be to terminate only the affected user-space process, but the double #MC bypasses this recovery [3].

Mitigation

Status

The Linux stable kernel series have been patched with commit [SHA] to avoid reading the THP during split. Users should apply the latest stable updates to eliminate the panic risk. No workaround is available other than updating the kernel.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

3
6fc0a7c99e97
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
92acf4b04f25
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
841a8bfcbad9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.