CVE-2025-40245
Description
In the Linux kernel, the following vulnerability has been resolved:
nios2: ensure that memblock.current_limit is set when setting pfn limits
On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM.
This can in turn cause kernel-level paging failures, e.g.:
[ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]---
This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An uninitialized memblock.current_limit on nios2 systems with CONFIG_FLATMEM can cause max_low_pfn to exceed max_pfn, leading to kernel paging failures and panic.
Analysis
In the Linux kernel for the nios2 architecture, when CONFIG_FLATMEM is enabled, the kernel uses memblock_get_current_limit() to determine the bounds of the memory map, specifically for max_low_pfn. During early boot, memblock.current_limit is only default-initialized to MEMBLOCK_ALLOC_ANYWHERE, which may not reflect the actual physical memory limits [1]. This can lead to max_low_pfn being set to a value that exceeds max_pfn, thereby referring to memory beyond the available DRAM.
An attacker does not need special privileges to trigger this state; it can occur if the system has certain memory configurations that expose the initialization gap. When the kernel later accesses memory pages that it believes are valid but actually lie outside the physical RAM, a paging request fails, as exemplified by the kernel panic trace showing an "Unable to handle kernel paging request" at address 20303000. This results in a system crash (kernel oops and panic) [2].
The impact is a denial of service (system crash) on affected nios2 systems. No workaround is provided beyond applying the patch. The fix introduces a call to adjust_lowmem_bounds early in boot, which pre-calculates memblock.current_limit based on the upper limits of available memory ranges, following a similar approach used in the ARM architecture. This patch has been merged into the stable kernel trees; users should update their kernels to the corrected version.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
625f09699edd35c3e38a36782b1ec9faef7e390f5f715550e8912814f14e2a20b83cf45beVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/25f09699edd360b534ccae16bc276c3b52c471f3nvd
- git.kernel.org/stable/c/5c3e38a367822f036227dd52bac82dc4a05157e2nvd
- git.kernel.org/stable/c/8912814f14e298b83df072fecc1f7ed1b63b1b2cnvd
- git.kernel.org/stable/c/90f5f715550e07cd6a51f80fc3f062d832c8c997nvd
- git.kernel.org/stable/c/a20b83cf45be2057f3d073506779e52c7fa17f94nvd
- git.kernel.org/stable/c/b1ec9faef7e36269ca3ec890972a78effbaeb975nvd
News mentions
0No linked articles in our index yet.