CVE-2025-37747: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: perf: Fix hang while freeing sigtrap event Perf can hang while freeing a sigtrap event if a related deferred signal hadn't managed to be sent before the file got closed: perf_event_overflow() task_work_add(perf_pending_task) fput() task_work_add(____fput()) task_work_run() ____fput() perf_release() perf_event_release_kernel() _free_event() perf_pending_task_sync() task_work_cancel() -> FAILED rcuwait_wait_event() Once task_work_run() is running, the list of pending callbacks is removed from the task_struct and from this point on task_work_cancel() can't remove any pending and not yet started work items, hence the task_work_cancel() failure and the hang on rcuwait_wait_event(). Task work could be changed to remove one work at a time, so a work running on the current task can always cancel a pending one, however the wait / wake design is still subject to inverted dependencies when remote targets are involved, as pictured by Oleg: T1 T2 fd = perf_event_open(pid => T2->pid); fd = perf_event_open(pid => T1->pid); close(fd) close(fd) <IRQ> <IRQ> perf_event_overflow() perf_event_overflow() task_work_add(perf_pending_task) task_work_add(perf_pending_task) </IRQ> </IRQ> fput() fput() task_work_add(____fput()) task_work_add(____fput()) task_work_run() task_work_run() ____fput() ____fput() perf_release() perf_release() perf_event_release_kernel() perf_event_release_kernel() _free_event() _free_event() perf_pending_task_sync() perf_pending_task_sync() rcuwait_wait_event() rcuwait_wait_event() Therefore the only option left is to acquire the event reference count upon queueing the perf task work and release it from the task work, just like it was done before 3a5465418f5f ("perf: Fix event leak upon exec and file release") but without the leaks it fixed. Some adjustments are necessary to make it work: * A child event might dereference its parent upon freeing. Care must be taken to release the parent last. * Some places assuming the event doesn't have any reference held and therefore can be freed right away must instead put the reference and let the reference counting to its job.
AI Analysis
Technical Summary
CVE-2025-37747 is a vulnerability identified in the Linux kernel's perf subsystem, specifically related to the handling of sigtrap events during resource cleanup. The issue arises when perf attempts to free a sigtrap event while a deferred signal associated with that event has not yet been delivered, leading to a hang condition. The root cause is a race condition in the task work queue management: when task_work_run() begins executing, it removes the list of pending callbacks from the task_struct, preventing task_work_cancel() from removing any pending but not yet started work items. This results in a failure of task_work_cancel() and causes the system to hang on rcuwait_wait_event(). The vulnerability involves complex interactions between task_work_add(), fput(), and perf_event_overflow() functions, where closing a file descriptor related to perf events triggers a sequence of callbacks that ultimately lead to the hang. Attempts to cancel pending work fail because the work list is already removed, creating inverted dependencies especially when multiple tasks (threads) are involved, as illustrated by the example with two tasks opening and closing perf event file descriptors referencing each other. The fix involves reintroducing reference counting on perf events when queueing task work, ensuring that events are not prematurely freed and that parent-child event relationships are respected during cleanup. This approach prevents the race condition by maintaining proper lifecycle management of perf events during asynchronous task work execution. This vulnerability affects multiple Linux kernel versions identified by specific commit hashes, indicating it spans several recent kernel releases. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The issue is primarily a denial-of-service (DoS) condition caused by kernel hangs, which can impact system stability and availability.
Potential Impact
For European organizations relying on Linux-based systems, especially servers and infrastructure running performance monitoring tools or custom applications utilizing the perf subsystem, this vulnerability poses a risk of system hangs leading to denial of service. Critical infrastructure, cloud service providers, and enterprises with Linux-based monitoring or debugging tools could experience unexpected kernel hangs, resulting in downtime or degraded service availability. The impact is particularly significant for environments with high concurrency and frequent perf event usage, such as data centers, telecom operators, and financial institutions that depend on real-time performance monitoring. A kernel hang can disrupt business operations, cause loss of productivity, and potentially trigger cascading failures in dependent services. While this vulnerability does not directly lead to privilege escalation or data breach, the availability impact can indirectly affect confidentiality and integrity by interrupting security monitoring tools and incident response capabilities. Organizations with stringent uptime requirements and service level agreements (SLAs) must prioritize addressing this issue to maintain operational continuity.
Mitigation Recommendations
To mitigate CVE-2025-37747, European organizations should: 1. Apply the official Linux kernel patches that address this perf subsystem race condition as soon as they become available from trusted sources or Linux distribution vendors. 2. Monitor kernel updates and subscribe to security advisories from Linux distributions commonly used within the organization (e.g., Debian, Ubuntu, Red Hat, SUSE) to ensure timely deployment of fixes. 3. Temporarily limit or audit the use of perf event monitoring tools in production environments where possible, especially in high-concurrency scenarios, to reduce exposure until patches are applied. 4. Implement robust kernel crash and hang detection mechanisms, such as watchdog timers and automated system recovery procedures, to minimize downtime impact. 5. Conduct thorough testing of kernel updates in staging environments to verify stability and compatibility with existing monitoring and performance tools before production rollout. 6. Educate system administrators and DevOps teams about this specific vulnerability to recognize symptoms of kernel hangs related to perf events and respond promptly. 7. Consider isolating critical monitoring workloads or deploying them on dedicated systems to contain potential impact.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2025-37747: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: perf: Fix hang while freeing sigtrap event Perf can hang while freeing a sigtrap event if a related deferred signal hadn't managed to be sent before the file got closed: perf_event_overflow() task_work_add(perf_pending_task) fput() task_work_add(____fput()) task_work_run() ____fput() perf_release() perf_event_release_kernel() _free_event() perf_pending_task_sync() task_work_cancel() -> FAILED rcuwait_wait_event() Once task_work_run() is running, the list of pending callbacks is removed from the task_struct and from this point on task_work_cancel() can't remove any pending and not yet started work items, hence the task_work_cancel() failure and the hang on rcuwait_wait_event(). Task work could be changed to remove one work at a time, so a work running on the current task can always cancel a pending one, however the wait / wake design is still subject to inverted dependencies when remote targets are involved, as pictured by Oleg: T1 T2 fd = perf_event_open(pid => T2->pid); fd = perf_event_open(pid => T1->pid); close(fd) close(fd) <IRQ> <IRQ> perf_event_overflow() perf_event_overflow() task_work_add(perf_pending_task) task_work_add(perf_pending_task) </IRQ> </IRQ> fput() fput() task_work_add(____fput()) task_work_add(____fput()) task_work_run() task_work_run() ____fput() ____fput() perf_release() perf_release() perf_event_release_kernel() perf_event_release_kernel() _free_event() _free_event() perf_pending_task_sync() perf_pending_task_sync() rcuwait_wait_event() rcuwait_wait_event() Therefore the only option left is to acquire the event reference count upon queueing the perf task work and release it from the task work, just like it was done before 3a5465418f5f ("perf: Fix event leak upon exec and file release") but without the leaks it fixed. Some adjustments are necessary to make it work: * A child event might dereference its parent upon freeing. Care must be taken to release the parent last. * Some places assuming the event doesn't have any reference held and therefore can be freed right away must instead put the reference and let the reference counting to its job.
AI-Powered Analysis
Technical Analysis
CVE-2025-37747 is a vulnerability identified in the Linux kernel's perf subsystem, specifically related to the handling of sigtrap events during resource cleanup. The issue arises when perf attempts to free a sigtrap event while a deferred signal associated with that event has not yet been delivered, leading to a hang condition. The root cause is a race condition in the task work queue management: when task_work_run() begins executing, it removes the list of pending callbacks from the task_struct, preventing task_work_cancel() from removing any pending but not yet started work items. This results in a failure of task_work_cancel() and causes the system to hang on rcuwait_wait_event(). The vulnerability involves complex interactions between task_work_add(), fput(), and perf_event_overflow() functions, where closing a file descriptor related to perf events triggers a sequence of callbacks that ultimately lead to the hang. Attempts to cancel pending work fail because the work list is already removed, creating inverted dependencies especially when multiple tasks (threads) are involved, as illustrated by the example with two tasks opening and closing perf event file descriptors referencing each other. The fix involves reintroducing reference counting on perf events when queueing task work, ensuring that events are not prematurely freed and that parent-child event relationships are respected during cleanup. This approach prevents the race condition by maintaining proper lifecycle management of perf events during asynchronous task work execution. This vulnerability affects multiple Linux kernel versions identified by specific commit hashes, indicating it spans several recent kernel releases. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The issue is primarily a denial-of-service (DoS) condition caused by kernel hangs, which can impact system stability and availability.
Potential Impact
For European organizations relying on Linux-based systems, especially servers and infrastructure running performance monitoring tools or custom applications utilizing the perf subsystem, this vulnerability poses a risk of system hangs leading to denial of service. Critical infrastructure, cloud service providers, and enterprises with Linux-based monitoring or debugging tools could experience unexpected kernel hangs, resulting in downtime or degraded service availability. The impact is particularly significant for environments with high concurrency and frequent perf event usage, such as data centers, telecom operators, and financial institutions that depend on real-time performance monitoring. A kernel hang can disrupt business operations, cause loss of productivity, and potentially trigger cascading failures in dependent services. While this vulnerability does not directly lead to privilege escalation or data breach, the availability impact can indirectly affect confidentiality and integrity by interrupting security monitoring tools and incident response capabilities. Organizations with stringent uptime requirements and service level agreements (SLAs) must prioritize addressing this issue to maintain operational continuity.
Mitigation Recommendations
To mitigate CVE-2025-37747, European organizations should: 1. Apply the official Linux kernel patches that address this perf subsystem race condition as soon as they become available from trusted sources or Linux distribution vendors. 2. Monitor kernel updates and subscribe to security advisories from Linux distributions commonly used within the organization (e.g., Debian, Ubuntu, Red Hat, SUSE) to ensure timely deployment of fixes. 3. Temporarily limit or audit the use of perf event monitoring tools in production environments where possible, especially in high-concurrency scenarios, to reduce exposure until patches are applied. 4. Implement robust kernel crash and hang detection mechanisms, such as watchdog timers and automated system recovery procedures, to minimize downtime impact. 5. Conduct thorough testing of kernel updates in staging environments to verify stability and compatibility with existing monitoring and performance tools before production rollout. 6. Educate system administrators and DevOps teams about this specific vulnerability to recognize symptoms of kernel hangs related to perf events and respond promptly. 7. Consider isolating critical monitoring workloads or deploying them on dedicated systems to contain potential impact.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.936Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd478
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 10:27:21 PM
Last updated: 8/17/2025, 8:43:01 AM
Views: 20
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.