{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-22045", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.810Z", "datePublished": "2025-04-16T14:12:05.849Z", "dateUpdated": "2025-11-03T19:41:30.092Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-26T05:17:16.433Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Fix flush_tlb_range() when used for zapping normal PMDs\n\nOn the following path, flush_tlb_range() can be used for zapping normal\nPMD entries (PMD entries that point to page tables) together with the PTE\nentries in the pointed-to page table:\n\n collapse_pte_mapped_thp\n pmdp_collapse_flush\n flush_tlb_range\n\nThe arm64 version of flush_tlb_range() has a comment describing that it can\nbe used for page table removal, and does not use any last-level\ninvalidation optimizations. Fix the X86 version by making it behave the\nsame way.\n\nCurrently, X86 only uses this information for the following two purposes,\nwhich I think means the issue doesn't have much impact:\n\n - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be\n IPI'd to avoid issues with speculative page table walks.\n - In Hyper-V TLB paravirtualization, again for lazy TLB stuff.\n\nThe patch \"x86/mm: only invalidate final translations with INVLPGB\" which\nis currently under review (see\n<https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>)\nwould probably be making the impact of this a lot worse."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/include/asm/tlbflush.h"], "versions": [{"version": "016c4d92cd16f569c6485ae62b076c1a4b779536", "lessThan": "618d5612ecb7bfc1c85342daafeb2b47e29e77a3", "status": "affected", "versionType": "git"}, {"version": "016c4d92cd16f569c6485ae62b076c1a4b779536", "lessThan": "556d446068f90981e5d71ca686bdaccdd545d491", "status": "affected", "versionType": "git"}, {"version": "016c4d92cd16f569c6485ae62b076c1a4b779536", "lessThan": "0a8f806ea6b5dd64b3d1f05ff774817d5f7ddbd1", "status": "affected", "versionType": "git"}, {"version": "016c4d92cd16f569c6485ae62b076c1a4b779536", "lessThan": "0708fd6bd8161871bfbadced2ca4319b84ab44fe", "status": "affected", "versionType": "git"}, {"version": "016c4d92cd16f569c6485ae62b076c1a4b779536", "lessThan": "7085895c59e4057ffae17f58990ccb630087d0d2", "status": "affected", "versionType": "git"}, {"version": "016c4d92cd16f569c6485ae62b076c1a4b779536", "lessThan": "93224deb50a8d20df3884f3672ce9f982129aa50", "status": "affected", "versionType": "git"}, {"version": "016c4d92cd16f569c6485ae62b076c1a4b779536", "lessThan": "320ac1af4c0bdb92c864dc9250d1329234820edf", "status": "affected", "versionType": "git"}, {"version": "016c4d92cd16f569c6485ae62b076c1a4b779536", "lessThan": "78d6f9a9eb2a5da6fcbd76d6191d24b0dcc321be", "status": "affected", "versionType": "git"}, {"version": "016c4d92cd16f569c6485ae62b076c1a4b779536", "lessThan": "3ef938c3503563bfc2ac15083557f880d29c2e64", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/include/asm/tlbflush.h"], "versions": [{"version": "4.20", "status": "affected"}, {"version": "0", "lessThan": "4.20", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.292", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.236", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.180", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.134", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.87", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.23", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.11", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.2", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.292"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.10.236"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.15.180"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.1.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.6.87"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.12.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.13.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.14.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.15"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/618d5612ecb7bfc1c85342daafeb2b47e29e77a3"}, {"url": "https://git.kernel.org/stable/c/556d446068f90981e5d71ca686bdaccdd545d491"}, {"url": "https://git.kernel.org/stable/c/0a8f806ea6b5dd64b3d1f05ff774817d5f7ddbd1"}, {"url": "https://git.kernel.org/stable/c/0708fd6bd8161871bfbadced2ca4319b84ab44fe"}, {"url": "https://git.kernel.org/stable/c/7085895c59e4057ffae17f58990ccb630087d0d2"}, {"url": "https://git.kernel.org/stable/c/93224deb50a8d20df3884f3672ce9f982129aa50"}, {"url": "https://git.kernel.org/stable/c/320ac1af4c0bdb92c864dc9250d1329234820edf"}, {"url": "https://git.kernel.org/stable/c/78d6f9a9eb2a5da6fcbd76d6191d24b0dcc321be"}, {"url": "https://git.kernel.org/stable/c/3ef938c3503563bfc2ac15083557f880d29c2e64"}], "title": "x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:41:30.092Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7271250-7637-4B0D-9535-6DD3E4AF3DD4", "versionEndExcluding": "5.4.292", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1DF46FB0-9163-4ABE-8CCA-32A497D4715B", "versionEndExcluding": "5.10.236", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D19801C8-3D18-405D-9989-E6C9B30255FA", "versionEndExcluding": "5.15.180", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3985DEC3-0437-4177-BC42-314AB575285A", "versionEndExcluding": "6.1.134", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFF24260-49B1-4251-9477-C564CFDAD25B", "versionEndExcluding": "6.6.87", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "26CAB76D-F00F-43CE-BEAD-7097F8FB1D6C", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Fix flush_tlb_range() when used for zapping normal PMDs\n\nOn the following path, flush_tlb_range() can be used for zapping normal\nPMD entries (PMD entries that point to page tables) together with the PTE\nentries in the pointed-to page table:\n\n collapse_pte_mapped_thp\n pmdp_collapse_flush\n flush_tlb_range\n\nThe arm64 version of flush_tlb_range() has a comment describing that it can\nbe used for page table removal, and does not use any last-level\ninvalidation optimizations. Fix the X86 version by making it behave the\nsame way.\n\nCurrently, X86 only uses this information for the following two purposes,\nwhich I think means the issue doesn't have much impact:\n\n - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be\n IPI'd to avoid issues with speculative page table walks.\n - In Hyper-V TLB paravirtualization, again for lazy TLB stuff.\n\nThe patch \"x86/mm: only invalidate final translations with INVLPGB\" which\nis currently under review (see\n<https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>)\nwould probably be making the impact of this a lot worse."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86/mm: Arregla flush_tlb_range() cuando se usa para zapping de PMD normales En la siguiente ruta, flush_tlb_range() se puede usar para zapping de entradas PMD normales (entradas PMD que apuntan a tablas de p\u00e1ginas) junto con las entradas PTE en la tabla de p\u00e1ginas apuntada: colapso_pte_mapped_thp pmdp_collapse_flush flush_tlb_range La versi\u00f3n arm64 de flush_tlb_range() tiene un comentario que describe que se puede usar para la eliminaci\u00f3n de la tabla de p\u00e1ginas y no usa ninguna optimizaci\u00f3n de invalidaci\u00f3n de \u00faltimo nivel. Arregla la versi\u00f3n X86 haciendo que se comporte de la misma manera. Actualmente, X86 solo usa esta informaci\u00f3n para los dos prop\u00f3sitos siguientes, lo que creo que significa que el problema no tiene mucho impacto: - En native_flush_tlb_multi() para verificar si las CPU TLB perezosas necesitan ser IPI'd para evitar problemas con recorridos especulativos de la tabla de p\u00e1ginas. En la paravirtualizaci\u00f3n de TLB de Hyper-V, de nuevo para problemas de TLB lentos. El parche \"x86/mm: solo invalidar las traducciones finales con INVLPGB\", actualmente en revisi\u00f3n (v\u00e9ase ), probablemente estar\u00eda agravando considerablemente el impacto de esto."}], "id": "CVE-2025-22045", "lastModified": "2025-11-03T20:17:39.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-16T15:15:57.920", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0708fd6bd8161871bfbadced2ca4319b84ab44fe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0a8f806ea6b5dd64b3d1f05ff774817d5f7ddbd1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/320ac1af4c0bdb92c864dc9250d1329234820edf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3ef938c3503563bfc2ac15083557f880d29c2e64"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/556d446068f90981e5d71ca686bdaccdd545d491"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/618d5612ecb7bfc1c85342daafeb2b47e29e77a3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7085895c59e4057ffae17f58990ccb630087d0d2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/78d6f9a9eb2a5da6fcbd76d6191d24b0dcc321be"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/93224deb50a8d20df3884f3672ce9f982129aa50"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs", "id": "2360230", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2360230"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nx86/mm: Fix flush_tlb_range() when used for zapping normal PMDs\nOn the following path, flush_tlb_range() can be used for zapping normal\nPMD entries (PMD entries that point to page tables) together with the PTE\nentries in the pointed-to page table:\ncollapse_pte_mapped_thp\npmdp_collapse_flush\nflush_tlb_range\nThe arm64 version of flush_tlb_range() has a comment describing that it can\nbe used for page table removal, and does not use any last-level\ninvalidation optimizations. Fix the X86 version by making it behave the\nsame way.\nCurrently, X86 only uses this information for the following two purposes,\nwhich I think means the issue doesn't have much impact:\n- In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be\nIPI'd to avoid issues with speculative page table walks.\n- In Hyper-V TLB paravirtualization, again for lazy TLB stuff.\nThe patch \"x86/mm: only invalidate final translations with INVLPGB\" which\nis currently under review (see\n<https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>)\nwould probably be making the impact of this a lot worse."], "name": "CVE-2025-22045", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22045\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22045\nhttps://lore.kernel.org/linux-cve-announce/2025041601-CVE-2025-22045-049d@gregkh/T"], "threat_severity": "Low"}