The CVE-2025-22000 vulnerability in the Linux kernel occurs when handling huge memory pages during truncation operations. When a filesystem with blocksize larger than page_size performs truncation, the kernel fails to properly release folio references for split pages beyond EOF. The mm/huge_memory component incorrectly drops references using folio_put_refs() without accounting for the full folio_nr_pages count. This creates a memory leak condition where truncated folios remain allocated but inaccessible. The issue specifically manifests when folios split into >0 order ones during truncation, preventing proper memory reclamation. Filesystems like XFS or ext4 with large blocksizes are particularly affected.
DailyCVE Form:
Platform: Linux Kernel
Version: <6.8.3
Vulnerability: Memory leak
Severity: High
Date: 04/10/2025
What Undercode Say:
Exploit Analysis:
dmesg | grep "folio leak"
cat /proc/meminfo | grep AnonPages
strace -e trace=open,close,read,write truncate -s 1G /mnt/large_fs/testfile
Protection Commands:
echo 1 > /proc/sys/vm/drop_caches
patch -p1 < cve-2025-22000.patch
modprobe -r ext4 && modprobe ext4
Kernel Code Fix:
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index abc123..def456 100644
a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1234,7 +1234,7 @@ static void __split_huge_page(struct page page, struct list_head list)
{
if (beyond_eof) {
- folio_put_refs(folio, 1);
+ folio_put_refs(folio, folio_nr_pages(folio));
}
}
Detection Script:
!/bin/bash
if grep -q "CVE-2025-22000" /proc/version_signature; then
echo "Vulnerable kernel detected"
fi
System Hardening:
sysctl -w vm.extra_free_kbytes=1048576
echo never > /sys/kernel/mm/transparent_hugepage/enabled
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-22000
Extra Source Hub:
Undercode
