CVE-2025-39776 Cert Portal CVE debrief

Who should care

Kernel maintainers, downstream distributors, and operators of builds that include CONFIG_DEBUG_VM_PGTABLE or otherwise ship debug-oriented kernel test code should care most. The source advisory metadata maps the issue to Siemens SIMATIC CN 4100 v<5.0, but the vulnerability text itself is Linux-kernel-specific, so affected-product mapping should be verified before prioritizing remediation.

Technical summary

The issue occurs in mm/debug_vm_pgtable when the test harness allocates page-table entries and an mm_struct manually, then exits without calling the *_clear functions in destroy_args(). That leaves stale page-table state behind. If a later process allocates an mm_struct whose pgd lands at the same address, it can encounter those stale entries, leading to kernel warnings such as free_pud_range checks, bad rss-counter state, and negative pgtables_bytes on debug builds. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, consistent with a local availability impact.

Defensive priority

Medium. The issue is confined to a debug/test path, but the advisory shows it can trip real kernel warnings and memory-accounting failures on affected builds. Prioritize if you ship or rely on debug kernels or kernel test configurations; otherwise, track it as a lower-priority hardening fix.

Recommended defensive actions

• Apply the vendor fix identified in the advisory and update to V5.0 or later where applicable.
• Backport the kernel cleanup change that clears the manually allocated page-table entries in destroy_args().
• Verify whether CONFIG_DEBUG_VM_PGTABLE is enabled in any shipped or lab kernels and disable it where it is not needed.
• Review kernel logs for related mm warnings, especially free_pud_range, bad rss-counter state, or non-zero pgtables_bytes messages after shutdown or test teardown.
• Confirm the affected-product mapping in the Siemens advisory before using this CVE for product-level exposure tracking.

Evidence notes

The source description says the mm/debug_vm_pgtable test manually allocates page-table entries and an mm_struct, then fails to clear those entries in destroy_args(), leaving stale state that can be hit when another process reuses the same address. The advisory text says this is observed on a debug kernel with CONFIG_DEBUG_VM_PGTABLE=y and includes warning output from free_pud_range, bad rss-counter state, and non-zero pgtables_bytes. The source metadata also supplies the remediation 'Update to V5.0 or later version' and a CVSS 3.1 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Vendor/product metadata in the supplied corpus is low confidence and should be validated because the narrative is Linux-kernel-specific while the product mapping points to Siemens SIMATIC CN 4100 v<5.0.

Official resources