CVE-2025-38681 | mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()

In the Linux kernel, the following vulnerability has been resolved: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful. But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems. To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables. Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios. Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths.

Published: 2025-09-04 Last update: 2026-05-12 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-38681 is rated Low Risk (19.9/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.02%). Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-38681

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-01-09 0.06% 0.02% -0.05%
2 2026-01-04 0.02% 0.06% +0.04%
3 2025-09-05 0.02%

Full EPSS history (3 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-38681

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.7 3.1 MEDIUM
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.0 3.6 [email protected]

Weakness enumeration for CVE-2025-38681

GitHub Security Advisory for CVE-2025-38681

GHSA-vmx6-h5gh-r675 · Severity: medium — In the Linux kernel, the following vulnerability has been resolved: mm/ptdump: take the memory...

OS Trackers for CVE-2025-38681

vendor priority summary link
debian not yet assigned CVE-2025-38681 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. https://security-tracker.debian.org/tracker/CVE-2025-38681
redhat medium https://access.redhat.com/security/cve/CVE-2025-38681
suse medium CVE-2025-38681 severity moderate: SUSE including 470 source package names (2.1.3-6.80:kernel-default-base-6.4.0-35.1.21.12, 2.1.3-7.57:kernel-default-6.4.0-35.1, …), 985 product×package rows across 196 product lines (Container suse/sl-micro/6.0/base-os-container, Container suse/sl-micro/6.0/kvm-os-container, … (196 product lines)): Fixed 619, Known Affected 231, Known Not Affected 114, First Fixed 21. https://www.suse.com/security/cve/CVE-2025-38681/
ubuntu medium CVE-2025-38681 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1414 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1017, ignored 176, released 150, not-affected 62, needed 6, needs-triage 2, pending 1. https://ubuntu.com/security/CVE-2025-38681

Affected software / configurations for CVE-2025-38681

Vendor Product Version Raw CPE
linux linux_kernel >= 5.7, < 5.10.241 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.11, < 5.15.190 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.16, < 6.1.149 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.2, < 6.6.103 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.7, < 6.12.43 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.13, < 6.15.11 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.16, < 6.16.2 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
debian debian_linux 11.0 cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

References for CVE-2025-38681

URL Tags
https://git.kernel.org/stable/c/1636b5e9c3543b87d673e32a47e7c18698882425 Patch
https://git.kernel.org/stable/c/3ee9a8c27bfd72c3f465004fa8455785d61be5e8 Patch
https://git.kernel.org/stable/c/59305202c67fea50378dcad0cc199dbc13a0e99a Patch
https://git.kernel.org/stable/c/67995d4244694928ce701928e530b5b4adeb17b4 Patch
https://git.kernel.org/stable/c/69bea84b06b5e779627e7afdbf4b60a7d231c76f Patch
https://git.kernel.org/stable/c/ac25ec5fa2bf6e606dc7954488e4dded272fa9cd Patch
https://git.kernel.org/stable/c/ca8c414499f2e5337a95a76be0d21b728ee31c6b Patch
https://git.kernel.org/stable/c/ff40839e018b82c4d756d035f34a63aa2d93be83 Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-032379.html
cvelogic Threat Intelligence