CVE-2025-22015: mm/migrate: fix shmem xarray update during migration
In the Linux kernel, the following vulnerability has been resolved:
mm/migrate: fix shmem xarray update during migration
A shmem folio can be either in page cache or in swap cache, but not at the
same time. Namely, once it is in swap cache, folio->mapping should be
NULL, and the folio is no longer in a shmem mapping.
In __folio_migrate_mapping(), to determine the number of xarray entries to
update, folio_test_swapbacked() is used, but that conflates shmem in page
cache case and shmem in swap cache case. It leads to xarray multi-index
entry corruption, since it turns a sibling entry to a normal entry during
xas_store() (see [1] for a userspace reproduction). Fix it by only using
folio_test_swapcache() to determine whether xarray is storing swap cache
entries or not to choose the right number of xarray entries to update.
[1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/
Note:
In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is
used to get swap_cache address space, but that ignores the shmem folio in
swap cache case. It could lead to NULL pointer dereferencing when a
in-swap-cache shmem folio is split at __xa_store(), since
!folio_test_anon() is true and folio->mapping is NULL. But fortunately,
its caller split_huge_page_to_list_to_order() bails out early with EBUSY
when folio->mapping is NULL. So no need to take care of it here.
Security readout for executives and security teams
Plain-English summary
CVE-2025-22015 is a Linux kernel memory-management flaw involving shared memory page migration. Under specific conditions, the kernel can corrupt an internal xarray structure. Public sources show a user-space reproduction, but do not show active exploitation or a CVSS score.
Executive priority
Treat as a scheduled kernel-update priority, higher for multi-tenant Linux hosts, container platforms, and appliances. There is no sourced evidence of active exploitation, but kernel memory corruption bugs can create operational and security risk.
Technical view
In __folio_migrate_mapping(), the kernel used folio_test_swapbacked() to decide xarray update size. For shmem folios, this conflated page-cache and swap-cache states, allowing multi-index xarray entry corruption during migration. Stable fixes switch the decision to folio_test_swapcache().
Likely exposure
Exposure is limited to Linux systems running affected kernel builds. Exact impact depends on vendor backports and kernel lineage, so validate against kernel.org stable commits and OS or appliance vendor advisories rather than raw version strings alone.
Exploitation context
The CVE text cites a user-space reproduction on the Linux memory-management mailing list. The provided sources do not indicate CISA KEV listing, active exploitation, public weaponization, privilege escalation, or remote attack exposure.
Researcher notes
Evidence identifies the bug class and fix, but not a complete security impact statement. The cited reproduction is useful for understanding triggerability, while remediation should track stable commits and downstream vendor backports.
Mitigation direction
Update to a vendor kernel containing the referenced stable fixes.
Use Debian LTS updates where applicable.
Check Siemens advisory for affected Siemens products and update guidance.
Prioritize systems allowing untrusted local workloads or containers.
If patching is delayed, follow vendor guidance for compensating controls.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and containers hosts.
Compare installed kernels with OS vendor advisories and kernel.org stable fixes.
Confirm Debian LTS systems received the relevant DLA update.
Check Siemens product exposure using SSA-019113.
Monitor kernel logs for memory-management instability, but do not rely on logs for assurance.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-22015 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
2ADP providers
8Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Apr 8, 2025, 08:18 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.