Memory Disclosure Vulnerability in Linux Kernel Affecting Huge Pages

CVE-2025-68292

What is CVE-2025-68292?

A vulnerability in the Linux kernel related to hugetlb folios can lead to memory disclosure to userspace. When allocating hugetlb folios for the memfd feature, essential initialization steps are bypassed, resulting in uninitialized kernel memory being disclosed. Specifically, allocated folios are not zeroed before use, nor marked as up-to-date, which poses a risk especially for applications that pin these folios for direct, unrestricted access through DMA operations. The issue arises from the memfd allocation bypassing the usual page fault handling process, allowing sensitive data to leak through read or mmap operations. The resolution involves ensuring all necessary initialization procedures are followed, such as zeroing the folio and acquiring the appropriate mutex to prevent race conditions.

References