CVE-2025-40353

NameCVE-2025-40353
DescriptionIn the Linux kernel, the following vulnerability has been resolved: arm64: mte: Do not warn if the page is already tagged in copy_highpage() The arm64 copy_highpage() assumes that the destination page is newly allocated and not MTE-tagged (PG_mte_tagged unset) and warns accordingly. However, following commit 060913999d7a ("mm: migrate: support poisoned recover from migrate folio"), folio_mc_copy() is called before __folio_migrate_mapping(). If the latter fails (-EAGAIN), the copy will be done again to the same destination page. Since copy_highpage() already set the PG_mte_tagged flag, this second copy will warn. Replace the WARN_ON_ONCE(page already tagged) in the arm64 copy_highpage() with a comment.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)bullseye5.10.223-1vulnerable
bullseye (security)5.10.247-1vulnerable
bookworm6.1.148-1vulnerable
bookworm (security)6.1.158-1vulnerable
trixie6.12.57-1fixed
trixie (security)6.12.48-1vulnerable
forky6.17.11-1fixed
sid6.17.12-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcetrixie6.12.57-1
linuxsource(unstable)6.17.6-1

Notes

https://git.kernel.org/linus/b98c94eed4a975e0c80b7e90a649a46967376f58 (6.18-rc3)
Search for package or bug name: Reporting problems