LiveActive security incident?Get immediate response
CVE Record

CVE-2025-22015: mm/migrate: fix shmem xarray update during migration

In the Linux kernel, the following vulnerability has been resolved: mm/migrate: fix shmem xarray update during migration A shmem folio can be either in page cache or in swap cache, but not at the same time. Namely, once it is in swap cache, folio->mapping should be NULL, and the folio is no longer in a shmem mapping. In __folio_migrate_mapping(), to determine the number of xarray entries to update, folio_test_swapbacked() is used, but that conflates shmem in page cache case and shmem in swap cache case. It leads to xarray multi-index entry corruption, since it turns a sibling entry to a normal entry during xas_store() (see [1] for a userspace reproduction). Fix it by only using folio_test_swapcache() to determine whether xarray is storing swap cache entries or not to choose the right number of xarray entries to update. [1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/ Note: In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is used to get swap_cache address space, but that ignores the shmem folio in swap cache case. It could lead to NULL pointer dereferencing when a in-swap-cache shmem folio is split at __xa_store(), since !folio_test_anon() is true and folio->mapping is NULL. But fortunately, its caller split_huge_page_to_list_to_order() bails out early with EBUSY when folio->mapping is NULL. So no need to take care of it here.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-22015 is a Linux kernel memory-management flaw involving shared memory page migration. Under specific conditions, the kernel can corrupt an internal xarray structure. Public sources show a user-space reproduction, but do not show active exploitation or a CVSS score.

Executive priority

Treat as a scheduled kernel-update priority, higher for multi-tenant Linux hosts, container platforms, and appliances. There is no sourced evidence of active exploitation, but kernel memory corruption bugs can create operational and security risk.

Technical view

In __folio_migrate_mapping(), the kernel used folio_test_swapbacked() to decide xarray update size. For shmem folios, this conflated page-cache and swap-cache states, allowing multi-index xarray entry corruption during migration. Stable fixes switch the decision to folio_test_swapcache().

Likely exposure

Exposure is limited to Linux systems running affected kernel builds. Exact impact depends on vendor backports and kernel lineage, so validate against kernel.org stable commits and OS or appliance vendor advisories rather than raw version strings alone.

Exploitation context

The CVE text cites a user-space reproduction on the Linux memory-management mailing list. The provided sources do not indicate CISA KEV listing, active exploitation, public weaponization, privilege escalation, or remote attack exposure.

Researcher notes

Evidence identifies the bug class and fix, but not a complete security impact statement. The cited reproduction is useful for understanding triggerability, while remediation should track stable commits and downstream vendor backports.

Mitigation direction

  • Update to a vendor kernel containing the referenced stable fixes.
  • Use Debian LTS updates where applicable.
  • Check Siemens advisory for affected Siemens products and update guidance.
  • Prioritize systems allowing untrusted local workloads or containers.
  • If patching is delayed, follow vendor guidance for compensating controls.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and containers hosts.
  • Compare installed kernels with OS vendor advisories and kernel.org stable fixes.
  • Confirm Debian LTS systems received the relevant DLA update.
  • Check Siemens product exposure using SSA-019113.
  • Monitor kernel logs for memory-management instability, but do not rely on logs for assurance.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-22015 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
8Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxbe72d197b2281e2ee3f28017fc9be1ab17e26d16, 07550b1461d4d0499165e7d6f7718cfd0e440427, fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c, fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c, fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c, 6.1.71, 6.6.10unaffected
LinuxLinux6.7, 0, 6.1.132, 6.6.85, 6.12.21, 6.13.9, 6.14affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.