Linux Kernel Vulnerability in Memory Node Initialization Affecting ARM64 Systems

CVE-2025-39903

What is CVE-2025-39903?

A vulnerability has been identified in the Linux kernel that affects the initialization of memory-only nodes. Specifically, when the system encounters nodes that lack CPUs, these nodes may not be adequately initialized, leading to potential kernel panic during the boot process. The issue arises within the of_numa subsystem, where parsing fails to update the state for these memory-only nodes. This can trigger a NULL pointer dereference when the system attempts to access uninitialized memory data. For users leveraging ARM64 architecture, especially in simulated environments like QEMU, this vulnerability may manifest, resulting in severe operational disruptions during system startup.

References