CVE-2025-68198
Description
In the Linux kernel, the following vulnerability has been resolved:
crash: fix crashkernel resource shrink
When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues:
- Invalid crashkernel resource objects
- Kernel crash if crashkernel shrinking is done twice
For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as:
cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel
If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel
Instead, it should show 50MB: af000000-b21fffff : Crash kernel
Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86):
BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI <snip...> Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 <snip...>
This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated.
Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel crashkernel shrink operation can corrupt resource objects or cause a NULL-pointer dereference when the shrink value falls below the low reservation.
Vulnerability
In the Linux kernel, when crashkernel is configured with a high reservation (e.g., crashkernel=200M,high), the kernel reserves both a high memory region and a default low memory region. Shrinking the crashkernel size below the low reservation via /sys/kernel/kexec_crash_size can lead to two issues: (1) the crashk_res resource object is incorrectly updated instead of crashk_low_res, leaving an invalid resource entry in /proc/iomem; (2) a subsequent shrink operation triggers a kernel crash due to a NULL-pointer dereference in __release_resource [1].
Exploitation
An attacker with local access and the ability to write to /sys/kernel/kexec_crash_size can trigger the bug. No special privileges beyond the ability to modify that sysfs file are required. The attack surface is limited to systems where crashkernel=high is configured and the user can reduce the reserved size below the low threshold [1].
Impact
Successful exploitation causes a kernel NULL-pointer dereference, leading to a system crash (denial of service). Additionally, the resource tracking corruption may leave stale or overlapping memory regions, potentially affecting subsequent crash dump operations or memory management [1].
Mitigation
The fix is included in the Linux kernel stable tree as commit f89c5e7077f6. Users should apply the latest kernel updates from their distribution. No workaround is available other than avoiding the shrink operation on affected kernels [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.