CVE-2025-21932

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A vulnerability in the Linux kernel has been resolved, related to the vma modify() function. The issue occurs when a merge attempt fails due to an out-of-memory error, causing the vmg state to become unstable. This can lead to invalid start and end values being used in subsequent attempts to split the VMA. The vulnerability is theoretically possible, but practically unlikely, as it would require a specific edge case scenario. The issue was reported by syzkaller and Brad Spengler, and it manifested as a triggering of the VM WARN ON VMG assert in vma merge existing range(). The vulnerability can occur when an madvise() operation is performed across multiple VMAs.

Recommendations As a temporary workaround, consider disabling the vma modify() function until a patch is available. Restrict access to the vulnerable vma merge existing range() function to minimize the risk of exploitation. Avoid using the madvise() operation across multiple VMAs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.