CVE-2025-68293

Vulnerability

Description A NULL pointer dereference vulnerability exists in the Linux kernel's huge memory (THP) subsystem. The issue was introduced in commit c010d47f107f ("mm: thp: split huge page to any lower order pages") which added an early check on the folio's order via mapping->flags before proceeding with the split. However, for shmem folios in the swap cache and truncated folios, the mapping pointer can be NULL. Accessing mapping->flags in this state leads directly to a NULL pointer dereference. [1]

Exploitation

An attacker with local access and the ability to trigger the splitting of a huge folio on a shmem or truncated folio could potentially exploit this bug. The vulnerability requires the presence of such folios and the invocation of the split operation, which may be reachable via memory management system calls or other kernel operations. No authentication beyond local access is needed. [1]

Impact

A successful exploit would result in a kernel NULL pointer dereference, causing a system crash (denial of service). In some configurations, this could potentially be leveraged for privilege escalation if the attacker can control the dereferenced memory, though the primary impact is system instability. [1]

Mitigation

The fix is included in the Linux kernel stable tree as commit 592db83615a9f0164472ec789c2ed34ad35f732f, which moves the NULL check for mapping before accessing mapping->flags. Affected systems should apply the latest kernel updates. No workarounds are documented. [1]