VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 16, 2025· Updated Apr 15, 2026

CVE-2025-68231

CVE-2025-68231

Description

In the Linux kernel, the following vulnerability has been resolved:

mm/mempool: fix poisoning order>0 pages with HIGHMEM

The kernel test has reported:

BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17) Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56 EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287 CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690 Call Trace: poison_element (mm/mempool.c:83 mm/mempool.c:102) mempool_init_node (mm/mempool.c:142 mm/mempool.c:226) mempool_init_noprof (mm/mempool.c:250 (discriminator 1)) ? mempool_alloc_pages (mm/mempool.c:640) bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8)) ? mempool_alloc_pages (mm/mempool.c:640) do_one_initcall (init/main.c:1283)

Christoph found out this is due to the poisoning code not dealing properly with CONFIG_HIGHMEM because only the first page is mapped but then the whole potentially high-order page is accessed.

We could give up on HIGHMEM here, but it's straightforward to fix this with a loop that's mapping, poisoning or checking and unmapping individual pages.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, mempool poisoning with HIGHMEM causes a page fault when accessing high-order pages beyond the first page.

The vulnerability resides in the mm/mempool.c file, specifically in the poisoning code used for memory pool elements. When CONFIG_HIGHMEM is enabled, the kernel maps only the first page of a high-order (order > 0) page allocation but then attempts to poison or check the entire contiguous range. This mismatch leads to a page fault because the subsequent pages are not mapped in the kernel's address space.

Exploitation of this bug does not require any special user privileges as it occurs during kernel initialization, specifically in the poison_element and mempool_init_node functions. The fault is triggered when a memory pool is initialized, such as during the creation of bio integrity pools (bio_integrity_initfn). An attacker with the ability to trigger memory pool initialization on a system with HIGHMEM enabled could cause a kernel panic, leading to a denial of service.

The impact is a system crash with an Oops message indicating a page fault in the memset function. The kernel attempts to write to an unmapped high memory address, resulting in a supervisor write access error. This can effectively render the system unavailable until reboot.

The fix involves modifying the poisoning code to iterate over each individual page in a high-order allocation, mapping and unmapping each page as necessary. This ensures that all pages are properly accessed without causing a page fault. Patches have been applied to the stable kernel tree to address this issue.

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.