{"id":"CVE-2025-21696","summary":"mm: clear uffd-wp PTE/PMD state on mremap()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: clear uffd-wp PTE/PMD state on mremap()\n\nWhen mremap()ing a memory region previously registered with userfaultfd as\nwrite-protected but without UFFD_FEATURE_EVENT_REMAP, an inconsistency in\nflag clearing leads to a mismatch between the vma flags (which have\nuffd-wp cleared) and the pte/pmd flags (which do not have uffd-wp\ncleared).  This mismatch causes a subsequent mprotect(PROT_WRITE) to\ntrigger a warning in page_table_check_pte_flags() due to setting the pte\nto writable while uffd-wp is still set.\n\nFix this by always explicitly clearing the uffd-wp pte/pmd flags on any\nsuch mremap() so that the values are consistent with the existing clearing\nof VM_UFFD_WP.  Be careful to clear the logical flag regardless of its\nphysical form; a PTE bit, a swap PTE bit, or a PTE marker.  Cover PTE,\nhuge PMD and hugetlb paths.","modified":"2026-03-20T12:41:07.405782Z","published":"2025-02-12T13:27:54.905Z","related":["ALSA-2025:20095","ALSA-2025:20518","SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:20343-1","SUSE-SU-2025:20344-1","SUSE-SU-2025:20354-1","SUSE-SU-2025:20355-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21696.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0cef0bb836e3cfe00f08f9606c72abd72fe78ca3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/310ac886d68de661c3a334198d8604b722d7fdf8"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21696.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21696"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"63b2d4174c4ad1f40b48d7138e71bcb564c1fe03"},{"fixed":"310ac886d68de661c3a334198d8604b722d7fdf8"},{"fixed":"0cef0bb836e3cfe00f08f9606c72abd72fe78ca3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21696.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}