VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 22, 2025· Updated Apr 15, 2026

CVE-2025-68329

CVE-2025-68329

Description

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs

When a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel calls vm_ops->close on each portion. For trace buffer mappings, this results in ring_buffer_unmap() being called multiple times while ring_buffer_map() was only called once.

This causes ring_buffer_unmap() to return -ENODEV on subsequent calls because user_mapped is already 0, triggering a WARN_ON.

Trace buffer mappings cannot support partial mappings because the ring buffer structure requires the complete buffer including the meta page.

Fix this by adding a may_split callback that returns -EINVAL to prevent VMA splits entirely.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A VMA split in Linux kernel trace buffer mappings triggers a WARN_ON because ring_buffer_unmap() is called multiple times but ring_buffer_map() was called only once.

In the Linux kernel, a vulnerability exists in the tracing subsystem where buffer mappings cannot be partially unmapped. When a virtual memory area (VMA) is split (e.g., by munmap or MAP_FIXED), the kernel calls vm_ops->close on each resulting VMA. For trace buffer mappings, this leads to ring_buffer_unmap() being invoked multiple times, while the corresponding ring_buffer_map() was only called once for the original mapping [1].

This mismatch causes subsequent calls to ring_buffer_unmap() to fail with -ENODEV because the user_mapped flag is already cleared, which then triggers a WARN_ON. The root cause is that the trace buffer relies on a complete mapping (including the meta page), and partial unmapping is not supported [1].

An attacker with the ability to partially unmap a trace buffer VMA (e.g., via munmap on only part of the mapping) could cause a kernel warning, potentially leading to a denial of service. No privilege escalation is indicated from the available sources [1].

The fix adds a may_split callback to the VMA operations, which returns -EINVAL to prevent VMA splits entirely for trace buffer mappings. This patch has been applied to the Linux kernel stable tree [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.