CVE-2025-39903 (GCVE-0-2025-39903)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-10-01 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
of_numa: fix uninitialized memory nodes causing kernel panic
When there are memory-only nodes (nodes without CPUs), these nodes are not
properly initialized, causing kernel panic during boot.
of_numa_init
of_numa_parse_cpu_nodes
node_set(nid, numa_nodes_parsed);
of_numa_parse_memory_nodes
In of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes
containing CPUs. Memory-only nodes should have been updated in
of_numa_parse_memory_nodes, but they weren't.
Subsequently, when free_area_init() attempts to access NODE_DATA() for
these uninitialized memory nodes, the kernel panics due to NULL pointer
dereference.
This can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes:
qemu-system-aarch64 \
-cpu host -nographic \
-m 4G -smp 1 \
-machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \
-object memory-backend-ram,size=2G,id=mem0 \
-object memory-backend-ram,size=2G,id=mem1 \
-numa node,nodeid=0,memdev=mem0 \
-numa node,nodeid=1,memdev=mem1 \
-kernel $IMAGE \
-hda $DISK \
-append "console=ttyAMA0 root=/dev/vda rw earlycon"
[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010]
[ 0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025
[ 0.000000] KASLR enabled
[ 0.000000] random: crng init done
[ 0.000000] Machine model: linux,dummy-virt
[ 0.000000] efi: UEFI not found.
[ 0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options '')
[ 0.000000] printk: legacy bootconsole [pl11] enabled
[ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT
[ 0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff]
[ 0.000000] node 1 must be removed before remove section 23
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000040000000-0x00000000ffffffff]
[ 0.000000] DMA32 empty
[ 0.000000] Normal [mem 0x0000000100000000-0x000000013fffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000040000000-0x00000000bfffffff]
[ 0.000000] node 1: [mem 0x00000000c0000000-0x000000013fffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]
[ 0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0
[ 0.000000] Mem abort info:
[ 0.000000] ESR = 0x0000000096000004
[ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits
[ 0.000000] SET = 0, FnV = 0
[ 0.000000] EA = 0, S1PTW = 0
[ 0.000000] FSC = 0x04: level 0 translation fault
[ 0.000000] Data abort info:
[ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 0.000000] [00000000000000a0] user address but active_mm is swapper
[ 0.000000] Internal error: Oops: 0000000096000004 [#1] SMP
[ 0.000000] Modules linked in:
[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT
[ 0.000000] Hardware name: linux,dummy-virt (DT)
[ 0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 0.000000] pc : free_area_init+0x50c/0xf9c
[ 0.000000] lr : free_area_init+0x5c0/0xf9c
[ 0.000000] sp : ffffa02ca0f33c00
[ 0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000
[ 0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000
[ 0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368
[ 0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002
[ 0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001
[ 0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002
[ 0.0
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/of/of_numa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2daa6eb4740720b5bd0e06267d7c93a3eed844e",
"status": "affected",
"version": "767507654c22578ea0b51d181211b2e7714ea7cd",
"versionType": "git"
},
{
"lessThan": "f3286ad8eeae15fd4bd5c12f9adfe888b26baf62",
"status": "affected",
"version": "767507654c22578ea0b51d181211b2e7714ea7cd",
"versionType": "git"
},
{
"lessThan": "ee4d098cbc9160f573b5c1b5a51d6158efdb2896",
"status": "affected",
"version": "767507654c22578ea0b51d181211b2e7714ea7cd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/of/of_numa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof_numa: fix uninitialized memory nodes causing kernel panic\n\nWhen there are memory-only nodes (nodes without CPUs), these nodes are not\nproperly initialized, causing kernel panic during boot.\n\nof_numa_init\n\tof_numa_parse_cpu_nodes\n\t\tnode_set(nid, numa_nodes_parsed);\n\tof_numa_parse_memory_nodes\n\nIn of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes\ncontaining CPUs. Memory-only nodes should have been updated in\nof_numa_parse_memory_nodes, but they weren\u0027t.\n\nSubsequently, when free_area_init() attempts to access NODE_DATA() for\nthese uninitialized memory nodes, the kernel panics due to NULL pointer\ndereference.\n\nThis can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes:\n\nqemu-system-aarch64 \\\n-cpu host -nographic \\\n-m 4G -smp 1 \\\n-machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \\\n-object memory-backend-ram,size=2G,id=mem0 \\\n-object memory-backend-ram,size=2G,id=mem1 \\\n-numa node,nodeid=0,memdev=mem0 \\\n-numa node,nodeid=1,memdev=mem1 \\\n-kernel $IMAGE \\\n-hda $DISK \\\n-append \"console=ttyAMA0 root=/dev/vda rw earlycon\"\n\n[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010]\n[ 0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025\n[ 0.000000] KASLR enabled\n[ 0.000000] random: crng init done\n[ 0.000000] Machine model: linux,dummy-virt\n[ 0.000000] efi: UEFI not found.\n[ 0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options \u0027\u0027)\n[ 0.000000] printk: legacy bootconsole [pl11] enabled\n[ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT\n[ 0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff]\n[ 0.000000] node 1 must be removed before remove section 23\n[ 0.000000] Zone ranges:\n[ 0.000000] DMA [mem 0x0000000040000000-0x00000000ffffffff]\n[ 0.000000] DMA32 empty\n[ 0.000000] Normal [mem 0x0000000100000000-0x000000013fffffff]\n[ 0.000000] Movable zone start for each node\n[ 0.000000] Early memory node ranges\n[ 0.000000] node 0: [mem 0x0000000040000000-0x00000000bfffffff]\n[ 0.000000] node 1: [mem 0x00000000c0000000-0x000000013fffffff]\n[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]\n[ 0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[ 0.000000] Mem abort info:\n[ 0.000000] ESR = 0x0000000096000004\n[ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 0.000000] SET = 0, FnV = 0\n[ 0.000000] EA = 0, S1PTW = 0\n[ 0.000000] FSC = 0x04: level 0 translation fault\n[ 0.000000] Data abort info:\n[ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 0.000000] [00000000000000a0] user address but active_mm is swapper\n[ 0.000000] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 0.000000] Modules linked in:\n[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT\n[ 0.000000] Hardware name: linux,dummy-virt (DT)\n[ 0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 0.000000] pc : free_area_init+0x50c/0xf9c\n[ 0.000000] lr : free_area_init+0x5c0/0xf9c\n[ 0.000000] sp : ffffa02ca0f33c00\n[ 0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000\n[ 0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000\n[ 0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368\n[ 0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002\n[ 0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001\n[ 0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002\n[ 0.0\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:50.215Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2daa6eb4740720b5bd0e06267d7c93a3eed844e"
},
{
"url": "https://git.kernel.org/stable/c/f3286ad8eeae15fd4bd5c12f9adfe888b26baf62"
},
{
"url": "https://git.kernel.org/stable/c/ee4d098cbc9160f573b5c1b5a51d6158efdb2896"
}
],
"title": "of_numa: fix uninitialized memory nodes causing kernel panic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39903",
"datePublished": "2025-10-01T07:42:50.215Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:42:50.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-39903\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-01T08:15:33.133\",\"lastModified\":\"2025-10-02T19:12:17.160\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nof_numa: fix uninitialized memory nodes causing kernel panic\\n\\nWhen there are memory-only nodes (nodes without CPUs), these nodes are not\\nproperly initialized, causing kernel panic during boot.\\n\\nof_numa_init\\n\\tof_numa_parse_cpu_nodes\\n\\t\\tnode_set(nid, numa_nodes_parsed);\\n\\tof_numa_parse_memory_nodes\\n\\nIn of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes\\ncontaining CPUs. Memory-only nodes should have been updated in\\nof_numa_parse_memory_nodes, but they weren\u0027t.\\n\\nSubsequently, when free_area_init() attempts to access NODE_DATA() for\\nthese uninitialized memory nodes, the kernel panics due to NULL pointer\\ndereference.\\n\\nThis can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes:\\n\\nqemu-system-aarch64 \\\\\\n-cpu host -nographic \\\\\\n-m 4G -smp 1 \\\\\\n-machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \\\\\\n-object memory-backend-ram,size=2G,id=mem0 \\\\\\n-object memory-backend-ram,size=2G,id=mem1 \\\\\\n-numa node,nodeid=0,memdev=mem0 \\\\\\n-numa node,nodeid=1,memdev=mem1 \\\\\\n-kernel $IMAGE \\\\\\n-hda $DISK \\\\\\n-append \\\"console=ttyAMA0 root=/dev/vda rw earlycon\\\"\\n\\n[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010]\\n[ 0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025\\n[ 0.000000] KASLR enabled\\n[ 0.000000] random: crng init done\\n[ 0.000000] Machine model: linux,dummy-virt\\n[ 0.000000] efi: UEFI not found.\\n[ 0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options \u0027\u0027)\\n[ 0.000000] printk: legacy bootconsole [pl11] enabled\\n[ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT\\n[ 0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff]\\n[ 0.000000] node 1 must be removed before remove section 23\\n[ 0.000000] Zone ranges:\\n[ 0.000000] DMA [mem 0x0000000040000000-0x00000000ffffffff]\\n[ 0.000000] DMA32 empty\\n[ 0.000000] Normal [mem 0x0000000100000000-0x000000013fffffff]\\n[ 0.000000] Movable zone start for each node\\n[ 0.000000] Early memory node ranges\\n[ 0.000000] node 0: [mem 0x0000000040000000-0x00000000bfffffff]\\n[ 0.000000] node 1: [mem 0x00000000c0000000-0x000000013fffffff]\\n[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]\\n[ 0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\\n[ 0.000000] Mem abort info:\\n[ 0.000000] ESR = 0x0000000096000004\\n[ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits\\n[ 0.000000] SET = 0, FnV = 0\\n[ 0.000000] EA = 0, S1PTW = 0\\n[ 0.000000] FSC = 0x04: level 0 translation fault\\n[ 0.000000] Data abort info:\\n[ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\\n[ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n[ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n[ 0.000000] [00000000000000a0] user address but active_mm is swapper\\n[ 0.000000] Internal error: Oops: 0000000096000004 [#1] SMP\\n[ 0.000000] Modules linked in:\\n[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT\\n[ 0.000000] Hardware name: linux,dummy-virt (DT)\\n[ 0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[ 0.000000] pc : free_area_init+0x50c/0xf9c\\n[ 0.000000] lr : free_area_init+0x5c0/0xf9c\\n[ 0.000000] sp : ffffa02ca0f33c00\\n[ 0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000\\n[ 0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000\\n[ 0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368\\n[ 0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002\\n[ 0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001\\n[ 0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002\\n[ 0.0\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/c2daa6eb4740720b5bd0e06267d7c93a3eed844e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ee4d098cbc9160f573b5c1b5a51d6158efdb2896\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f3286ad8eeae15fd4bd5c12f9adfe888b26baf62\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…