Memory Initialization Issue in Linux Kernel on KVM Arm64
CVE-2025-37996

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 29 May 2025

What is CVE-2025-37996?

In the Linux kernel, a vulnerability was identified within the KVM component for arm64 architectures relating to the uninitialized memory cache pointer used in the user_mem_abort() function. A code change intended to integrate the pKVM MMU inadvertently allowed pathways where the local memcache variable was utilized without proper initialization. This oversight poses risks during operations that necessitate stage-2 allocations, particularly when permissions or dirty logging are involved. The resolution ensures that the memcache is consistently valid, preventing potential failures.

Affected Version(s)

Linux fce886a6020734d6253c2c5a3bc285e385cc5496

Linux fce886a6020734d6253c2c5a3bc285e385cc5496 < 157dbc4a321f5bb6f8b6c724d12ba720a90f1a7c

Linux 6.14

References

https://git.kernel.org/stable/c/a26d50f8a4a5049e956984797...

https://git.kernel.org/stable/c/157dbc4a321f5bb6f8b6c724d...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2025
Vulnerability Reserved
Apr 16, 2025