ghsa-qqq6-9fj8-x34c
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
mm/page_alloc: fix race condition in unaccepted memory handling
The page allocator tracks the number of zones that have unaccepted memory using static_branch_enc/dec() and uses that static branch in hot paths to determine if it needs to deal with unaccepted memory.
Borislav and Thomas pointed out that the tracking is racy: operations on static_branch are not serialized against adding/removing unaccepted pages to/from the zone.
Sanity checks inside static_branch machinery detects it:
WARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0
The comment around the WARN() explains the problem:
/*
* Warn about the '-1' case though; since that means a
* decrement is concurrent with a first (0->1) increment. IOW
* people are trying to disable something that wasn't yet fully
* enabled. This suggests an ordering problem on the user side.
*/
The effect of this static_branch optimization is only visible on microbenchmark.
Instead of adding more complexity around it, remove it altogether.
{
"affected": [],
"aliases": [
"CVE-2025-38008"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T10:15:32Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: fix race condition in unaccepted memory handling\n\nThe page allocator tracks the number of zones that have unaccepted memory\nusing static_branch_enc/dec() and uses that static branch in hot paths to\ndetermine if it needs to deal with unaccepted memory.\n\nBorislav and Thomas pointed out that the tracking is racy: operations on\nstatic_branch are not serialized against adding/removing unaccepted pages\nto/from the zone.\n\nSanity checks inside static_branch machinery detects it:\n\nWARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0\n\nThe comment around the WARN() explains the problem:\n\n\t/*\n\t * Warn about the \u0027-1\u0027 case though; since that means a\n\t * decrement is concurrent with a first (0-\u003e1) increment. IOW\n\t * people are trying to disable something that wasn\u0027t yet fully\n\t * enabled. This suggests an ordering problem on the user side.\n\t */\n\nThe effect of this static_branch optimization is only visible on\nmicrobenchmark.\n\nInstead of adding more complexity around it, remove it altogether.",
"id": "GHSA-qqq6-9fj8-x34c",
"modified": "2025-11-17T15:30:32Z",
"published": "2025-06-18T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38008"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/71dda1cb10702dc2859f00eb789b0502de2176a9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/74953f93f47a45296cc2a3fd04e2a3202ff3fa53"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98fdd2f612e949c652693f6df00442c81037776d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fefc075182275057ce607effaa3daa9e6e3bdc73"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.