CVE-2025-38334: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38334 is a vulnerability discovered in the Linux kernel affecting the x86/sgx subsystem, specifically related to the handling of poisoned pages in SGX page reclaim functionality. The vulnerability was disclosed on July 10, 2025 (NVD CVE).

The vulnerability exists in the SGX page reclaim mechanism where the system attempts to reclaim EPC (Enclave Page Cache) pages that are known to be poisoned. The issue occurs because epc_page->poison is not checked in the reclaimer logic, allowing attempts to reclaim poisoned EPC pages. When reclaiming, the system uses microcode operations including 'EWB' which accesses the EPC page contents to encrypt and write them to non-SGX memory. These operations cannot properly handle Machine Check Exceptions (MCEs) in their accesses (CVE Details).

When exploited, this vulnerability can lead to two critical issues: 1) poisoned pages could potentially be added to another enclave, and 2) it can cause one CPU core to shut down and the kernel to panic. The executing core enters a special shutdown state affecting both threads with Hyper-Threading, and the kernel subsequently panics on the remaining cores when they detect that the affected core didn't enter MCE handlers in time (NVD CVE).

The fix involves calling sgxunmarkpagereclaimable() to remove the affected EPC page from sgxactivepagelist on memory error, preventing it from being considered for reclaiming. While testing epcpage->poison in sgxreclaim_pages() would also work, the implemented solution adds code in the less likely paths. The patch has been integrated into various Linux kernel versions (Debian Tracker).