LiveActive security incident?Get immediate response
CVE Record

CVE-2025-39989: x86/mce: use is_copy_from_user() to determine copy-from-user context

In the Linux kernel, the following vulnerability has been resolved: x86/mce: use is_copy_from_user() to determine copy-from-user context Patch series "mm/hwpoison: Fix regressions in memory failure handling", v4. ## 1. What am I trying to do: This patchset resolves two critical regressions related to memory failure handling that have appeared in the upstream kernel since version 5.17, as compared to 5.10 LTS. - copyin case: poison found in user page while kernel copying from user space - instr case: poison found while instruction fetching in user space ## 2. What is the expected outcome and why - For copyin case: Kernel can recover from poison found where kernel is doing get_user() or copy_from_user() if those places get an error return and the kernel return -EFAULT to the process instead of crashing. More specifily, MCE handler checks the fixup handler type to decide whether an in kernel #MC can be recovered. When EX_TYPE_UACCESS is found, the PC jumps to recovery code specified in _ASM_EXTABLE_FAULT() and return a -EFAULT to user space. - For instr case: If a poison found while instruction fetching in user space, full recovery is possible. User process takes #PF, Linux allocates a new page and fills by reading from storage. ## 3. What actually happens and why - For copyin case: kernel panic since v5.17 Commit 4c132d1d844a ("x86/futex: Remove .fixup usage") introduced a new extable fixup type, EX_TYPE_EFAULT_REG, and later patches updated the extable fixup type for copy-from-user operations, changing it from EX_TYPE_UACCESS to EX_TYPE_EFAULT_REG. It breaks previous EX_TYPE_UACCESS handling when posion found in get_user() or copy_from_user(). - For instr case: user process is killed by a SIGBUS signal due to #CMCI and #MCE race When an uncorrected memory error is consumed there is a race between the CMCI from the memory controller reporting an uncorrected error with a UCNA signature, and the core reporting and SRAR signature machine check when the data is about to be consumed. ### Background: why *UN*corrected errors tied to *C*MCI in Intel platform [1] Prior to Icelake memory controllers reported patrol scrub events that detected a previously unseen uncorrected error in memory by signaling a broadcast machine check with an SRAO (Software Recoverable Action Optional) signature in the machine check bank. This was overkill because it's not an urgent problem that no core is on the verge of consuming that bad data. It's also found that multi SRAO UCE may cause nested MCE interrupts and finally become an IERR. Hence, Intel downgrades the machine check bank signature of patrol scrub from SRAO to UCNA (Uncorrected, No Action required), and signal changed to #CMCI. Just to add to the confusion, Linux does take an action (in uc_decode_notifier()) to try to offline the page despite the UC*NA* signature name. ### Background: why #CMCI and #MCE race when poison is consuming in Intel platform [1] Having decided that CMCI/UCNA is the best action for patrol scrub errors, the memory controller uses it for reads too. But the memory controller is executing asynchronously from the core, and can't tell the difference between a "real" read and a speculative read. So it will do CMCI/UCNA if an error is found in any read. Thus: 1) Core is clever and thinks address A is needed soon, issues a speculative read. 2) Core finds it is going to use address A soon after sending the read request 3) The CMCI from the memory controller is in a race with MCE from the core that will soon try to retire the load from address A. Quite often (because speculation has got better) the CMCI from the memory controller is delivered before the core is committed to the instruction reading address A, so the interrupt is taken, and Linux offlines the page (marking it as poison). ## Why user process is killed for instr case Commit 046545a661af ("mm/hwpoison: fix error page recovered but reported "not ---truncated---

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue can turn some hardware memory-error recovery cases into a kernel panic or unnecessary process termination. The business risk is availability, especially for x86 server fleets where memory errors occur. Sources do not show active exploitation or a remote attack path.

Executive priority

Treat as a planned reliability patch, with higher priority for critical Linux server fleets. There is no cited active exploitation, but kernel panic risk can still affect uptime and service resilience.

Technical view

On x86, memory failure handling regressed after Linux 5.17. Machine-check handling relied on EX_TYPE_UACCESS, but copy-from-user paths moved to EX_TYPE_EFAULT_REG. Poisoned user pages during get_user()/copy_from_user() could panic instead of returning -EFAULT; related instruction-fetch races could kill a user process.

Likely exposure

Exposure is likely limited to Linux x86 systems running affected kernel lines described in the CVE data, especially versions since 5.17 before the referenced stable fixes. Systems without relevant memory-error events may never observe the fault.

Exploitation context

The bundle lists KEV as false and provides no evidence of active exploitation. The described trigger is hardware memory poison and machine-check handling, not a public exploit chain or remotely reachable software input.

Researcher notes

Evidence is strongest for root cause and affected subsystem, but incomplete for CVSS, distribution impact, and exploitability. Avoid assuming attacker control; focus validation on kernel version, backported fixes, and MCE/hwpoison behavior.

Mitigation direction

  • Identify Linux x86 hosts and their exact kernel versions.
  • Prioritize systems running affected 5.17+ or listed stable kernel lines.
  • Apply vendor or distribution kernel updates containing the referenced stable fixes.
  • For custom kernels, review whether the listed upstream commits are included.
  • Monitor vendor advisories for backport status and reboot requirements.

Validation and detection

  • Confirm running kernel versions across production and high-availability systems.
  • Check vendor changelogs for CVE-2025-39989 or the referenced commit IDs.
  • Review kernel logs for MCE, CMCI, hwpoison, SIGBUS, or panic events.
  • Validate patched kernels in staging with normal workload and hardware-monitoring coverage.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-39989 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
6Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux4c132d1d844a53fc4e4b5c34e36ef10d6124b783, 4c132d1d844a53fc4e4b5c34e36ef10d6124b783, 4c132d1d844a53fc4e4b5c34e36ef10d6124b783, 4c132d1d844a53fc4e4b5c34e36ef10d6124b783, 4c132d1d844a53fc4e4b5c34e36ef10d6124b783, 88eded8104d2ca0429703755dd250f8cbecc1447, 5.15.58unaffected
LinuxLinux5.17, 0, 6.6.89, 6.12.23, 6.13.11, 6.14.2, 6.15affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.