CVE-2025-37764 addresses a memory leak vulnerability in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically within the Imagination Technologies PowerVR (powervr) graphics driver module. The issue arises from improper handling of firmware image processing during module load and unload operations. When the powervr kernel module is unloaded, the memory allocated to hold the results of firmware image processing was not properly freed, leading to persistent memory leaks. Additionally, if the firmware image processing fails during module load, the allocated firmware GEM (Graphics Execution Manager) objects were not destroyed, causing further memory leaks. These leaks were detected by the kernel memory leak detector (kmemleak), with unreferenced objects of significant size (e.g., 94,208 bytes and 20,480 bytes) remaining allocated after module unload or failed load attempts. The vulnerability is rooted in the pvr_fw_init function within the powervr driver, which allocates memory without ensuring its release under failure or unload conditions. The fix involves explicitly freeing all allocated memory related to firmware image processing and destroying all GEM objects if processing fails, thereby preventing memory leaks. This vulnerability affects specific Linux kernel versions identified by the commit hash cc1aeedb98ad347c06ff59e991b2f94dfb4c565d. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, the impact of this vulnerability is primarily related to system stability and resource exhaustion rather than direct compromise of confidentiality or integrity. Memory leaks in kernel modules can lead to gradual depletion of system memory, potentially causing degraded performance, system slowdowns, or crashes, especially on systems heavily utilizing the powervr graphics driver. This can affect servers, workstations, or embedded devices running affected Linux kernel versions with powervr support. Organizations relying on Linux-based infrastructure with powervr hardware or software components may experience increased downtime or require more frequent reboots to mitigate memory exhaustion. While this vulnerability does not directly enable privilege escalation or remote code execution, the resulting denial of service through resource exhaustion could disrupt critical services. European sectors with high dependency on Linux systems for graphics processing, such as telecommunications, automotive, industrial control, and media production, could be more affected. Additionally, embedded systems in IoT or specialized hardware using powervr GPUs may be vulnerable to stability issues. The absence of known exploits reduces immediate risk, but unpatched systems remain susceptible to potential future exploitation or operational disruptions.

To mitigate this vulnerability, European organizations should prioritize updating their Linux kernel to the patched version that includes the fix for CVE-2025-37764. Specifically, ensure that the kernel version includes the commit cc1aeedb98ad347c06ff59e991b2f94dfb4c565d or later. For environments where immediate patching is not feasible, organizations should monitor system memory usage closely on devices using the powervr driver and schedule regular maintenance windows to reboot affected systems to clear leaked memory. Additionally, auditing the use of powervr modules and disabling or unloading them on systems where they are not required can reduce exposure. For embedded or specialized devices, coordinate with hardware vendors to obtain firmware or kernel updates incorporating the fix. Implementing kernel memory leak detection tools like kmemleak in testing environments can help identify residual leaks and verify patch effectiveness. Finally, maintain robust system monitoring and alerting to detect abnormal memory consumption patterns indicative of this vulnerability being triggered.