CVE intelligence and bounded remediation
CVE-2025-39844 — Linux Linux Kernel security vulnerability
In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declarations to linux/pgtable.h During our internal testing, we started observing intermittent boot failures when the machine uses 4-level paging and has a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: <TASK> __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] </TASK> It turns out that the kernel panics while initializing vmemmap (struct page array) when the vmemmap region spans two PGD entries, because the new PGD entry is only installed in init_mm.pgd, but not in the page tables of other tasks. And looking at __populate_section_memmap(): if (vmemmap_can_optimize(altmap, pgmap)) // does not sync top level page tables r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap); else // s…
- Severity
- Medium
- CVSS
- 5.5 (3.1)
- Published
- 2025-09-19
- CISA KEV
- Not currently listed
- Ecosystem
- linux/kernel
Affected products
- linux / linux_kernel
- linux / linux_kernel / 6.17
- debian / debian_linux / 11.0
Matched remediation archetype
General vulnerability remediation
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Confirm the affected component, deployment paths, reachable interfaces, and enabled features from inventories and configuration, without probing production destructively.
- Compare the advisory's affected conditions with the repository lockfiles, build manifests, artifacts, and runtime inventory.
- Identify data sensitivity, trust boundaries, and privilege level for every confirmed affected deployment.
Remediate safely
- Apply a vendor-supported fix or remove the affected component or feature; record the selected change and its source in the repository.
- Update direct and transitive dependency locks, generated artifacts, deployment manifests, and asset inventories together.
- Add a regression test for the documented unsafe condition using inert inputs and preserve rollback instructions.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.