CVE intelligence and bounded remediation

CVE-2025-21932 — Linux Linux Kernel security vulnerability

Medium CVSS 5.5

In the Linux kernel, the following vulnerability has been resolved: mm: abort vma_modify() on merge out of memory failure The remainder of vma_modify() relies upon the vmg state remaining pristine after a merge attempt. Usually this is the case, however in the one edge case scenario of a merge attempt failing not due to the specified range being unmergeable, but rather due to an out of memory error arising when attempting to commit the merge, this assumption becomes untrue. This results in vmg->start, end being modified, and thus the proceeding attempts to split the VMA will be done with invalid start/end values. Thankfully, it is likely practically impossible for us to hit this in reality, as it would require a maple tree node pre-allocation failure that would likely never happen due to it being 'too small to fail', i.e. the kernel would simply keep retrying reclaim until it succeeded. However, this scenario remains theoretically possible, and what we are doing here is wrong so we must correct it. The safest option is, when this scenario occurs, to simply give up the operation. If we cannot allocate memory to merge, then we cannot allocate memory to split either (perhaps moreso!)…

Severity
Medium
CVSS
5.5 (3.1)
Published
2025-04-01
CISA KEV
Not currently listed
Ecosystem
linux/kernel

Affected products

  • linux / linux_kernel
  • linux / linux_kernel / 6.14

Showing 2 representative product identities from 7 source matches. Confirm exact affected versions with the linked vendor and NVD evidence.

Matched remediation archetype

General vulnerability remediation

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Confirm the affected component, deployment paths, reachable interfaces, and enabled features from inventories and configuration, without probing production destructively.
  • Compare the advisory's affected conditions with the repository lockfiles, build manifests, artifacts, and runtime inventory.
  • Identify data sensitivity, trust boundaries, and privilege level for every confirmed affected deployment.

Remediate safely

  • Apply a vendor-supported fix or remove the affected component or feature; record the selected change and its source in the repository.
  • Update direct and transitive dependency locks, generated artifacts, deployment manifests, and asset inventories together.
  • Add a regression test for the documented unsafe condition using inert inputs and preserve rollback instructions.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.