CVE-2020-25285: Race Condition
First published: Sun Sep 13 2020(Updated: )
A flaw was found in the Linux kernels sysctl handling code for hugepages management. When multiple root level processes would write to modify the /proc/sys/vm/nr_hugepages file it could create a race on internal variables leading to a system crash or memory corruption.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:4.18.0-305.rt7.72.el8 | 0:4.18.0-305.rt7.72.el8 |
| redhat/kernel | <0:4.18.0-305.el8 | 0:4.18.0-305.el8 |
| Linux Kernel | <5.8.8 | |
| Debian GNU/Linux | =9.0 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =20.04 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.15-1 | |
| Debian | =9.0 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =20.04 |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-25285 https://nvd.nist.gov/vuln/detail/CVE-2020-25285
- https://bugzilla.redhat.com/show_bug.cgi?id=1882591
- https://access.redhat.com/errata/RHSA-2021:1739
- https://access.redhat.com/errata/RHSA-2021:1578
- https://access.redhat.com/security/cve/cve-2020-25285
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.8.8
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=17743798d81238ab13050e8e2833699b54e15467
- https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html
- https://security.netapp.com/advisory/ntap-20201009-0002/
- https://twitter.com/grsecurity/status/1303749848898904067
- https://usn.ubuntu.com/4576-1/
- https://usn.ubuntu.com/4579-1/
- https://launchpad.net/bugs/cve/CVE-2020-25285
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1882592
- https://git.kernel.org/linus/17743798d81238ab13050e8e2833699b54e15467
- https://security-tracker.debian.org/tracker/CVE-2020-25285
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25285
- https://nvd.nist.gov/vuln/detail/CVE-2020-25285
- https://ubuntu.com/security/CVE-2020-25285
Frequently Asked Questions
What is the severity of CVE-2020-25285?
CVE-2020-25285 is rated as high severity due to the potential for a system crash or memory corruption.
How do I fix CVE-2020-25285?
To mitigate CVE-2020-25285, upgrade to the latest patched kernel versions as recommended by your distribution.
Which versions of the Linux kernel are affected by CVE-2020-25285?
CVE-2020-25285 affects Linux kernel versions prior to 5.8.8.
Can CVE-2020-25285 be exploited remotely?
CVE-2020-25285 requires local access to the system to exploit, making it a local vulnerability.
What specific packages are impacted by CVE-2020-25285?
Packages affected by CVE-2020-25285 include various versions of the kernel, kernel-rt, and Linux distributions like Debian and Ubuntu.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-25285
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/remedy
- agent/last-modified-date
- agent/trending
- agent/source
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/nvd-index
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/9.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/14.04
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/20.04
- package-manager/debian
- canonical/debian
- version/debian/9.0
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/20.04