AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2025-39910: In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc, mm/kasan: respect gfp mask in kasan_pop

mediumvulnerability

security

Source: NVD/CVE DatabaseOctober 1, 2025CVE-2025-39910

Summary

A bug in the Linux kernel's KASAN (a memory safety tool) caused memory allocation functions to ignore the caller's gfp_mask (a flag controlling how memory should be allocated), always using GFP_KERNEL instead. This created a mismatch with vmalloc() (virtual memory allocation), which supports GFP_NOFS and GFP_NOIO flags that prevent certain types of I/O operations, and could cause deadlocks when filesystems like XFS tried to allocate memory with these restrictions.

Solution / Mitigation

The patch fixes the issue by: extending kasan_populate_vmalloc() and helpers to accept and respect gfp_mask; passing gfp_mask down to alloc_pages_bulk() and __get_free_page() functions; enforcing GFP_NOFS/NOIO semantics using memalloc_*_save()/restore() wrapper calls around apply_to_page_range(); and updating the call sites in vmalloc.c and the percpu allocator accordingly.

Vulnerability Details

CVSS Score

5.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-667 CWE-667

Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-39910

First tracked: February 15, 2026 at 08:35 PM

Classified by LLM (prompt v3) · confidence: 95%