CVE-2025-37774: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: slab: ensure slab->obj_exts is clear in a newly allocated slab page ktest recently reported crashes while running several buffered io tests with __alloc_tagging_slab_alloc_hook() at the top of the crash call stack. The signature indicates an invalid address dereference with low bits of slab->obj_exts being set. The bits were outside of the range used by page_memcg_data_flags and objext_flags and hence were not masked out by slab_obj_exts() when obtaining the pointer stored in slab->obj_exts. The typical crash log looks like this: 00510 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 00510 Mem abort info: 00510 ESR = 0x0000000096000045 00510 EC = 0x25: DABT (current EL), IL = 32 bits 00510 SET = 0, FnV = 0 00510 EA = 0, S1PTW = 0 00510 FSC = 0x05: level 1 translation fault 00510 Data abort info: 00510 ISV = 0, ISS = 0x00000045, ISS2 = 0x00000000 00510 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 00510 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 00510 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000104175000 00510 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 00510 Internal error: Oops: 0000000096000045 [#1] SMP 00510 Modules linked in: 00510 CPU: 10 UID: 0 PID: 7692 Comm: cat Not tainted 6.15.0-rc1-ktest-g189e17946605 #19327 NONE 00510 Hardware name: linux,dummy-virt (DT) 00510 pstate: 20001005 (nzCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) 00510 pc : __alloc_tagging_slab_alloc_hook+0xe0/0x190 00510 lr : __kmalloc_noprof+0x150/0x310 00510 sp : ffffff80c87df6c0 00510 x29: ffffff80c87df6c0 x28: 000000000013d1ff x27: 000000000013d200 00510 x26: ffffff80c87df9e0 x25: 0000000000000000 x24: 0000000000000001 00510 x23: ffffffc08041953c x22: 000000000000004c x21: ffffff80c0002180 00510 x20: fffffffec3120840 x19: ffffff80c4821000 x18: 0000000000000000 00510 x17: fffffffec3d02f00 x16: fffffffec3d02e00 x15: fffffffec3d00700 00510 x14: fffffffec3d00600 x13: 0000000000000200 x12: 0000000000000006 00510 x11: ffffffc080bb86c0 x10: 0000000000000000 x9 : ffffffc080201e58 00510 x8 : ffffff80c4821060 x7 : 0000000000000000 x6 : 0000000055555556 00510 x5 : 0000000000000001 x4 : 0000000000000010 x3 : 0000000000000060 00510 x2 : 0000000000000000 x1 : ffffffc080f50cf8 x0 : ffffff80d801d000 00510 Call trace: 00510 __alloc_tagging_slab_alloc_hook+0xe0/0x190 (P) 00510 __kmalloc_noprof+0x150/0x310 00510 __bch2_folio_create+0x5c/0xf8 00510 bch2_folio_create+0x2c/0x40 00510 bch2_readahead+0xc0/0x460 00510 read_pages+0x7c/0x230 00510 page_cache_ra_order+0x244/0x3a8 00510 page_cache_async_ra+0x124/0x170 00510 filemap_readahead.isra.0+0x58/0xa0 00510 filemap_get_pages+0x454/0x7b0 00510 filemap_read+0xdc/0x418 00510 bch2_read_iter+0x100/0x1b0 00510 vfs_read+0x214/0x300 00510 ksys_read+0x6c/0x108 00510 __arm64_sys_read+0x20/0x30 00510 invoke_syscall.constprop.0+0x54/0xe8 00510 do_el0_svc+0x44/0xc8 00510 el0_svc+0x18/0x58 00510 el0t_64_sync_handler+0x104/0x130 00510 el0t_64_sync+0x154/0x158 00510 Code: d5384100 f9401c01 b9401aa3 b40002e1 (f8227881) 00510 ---[ end trace 0000000000000000 ]--- 00510 Kernel panic - not syncing: Oops: Fatal exception 00510 SMP: stopping secondary CPUs 00510 Kernel Offset: disabled 00510 CPU features: 0x0000,000000e0,00000410,8240500b 00510 Memory Limit: none Investigation indicates that these bits are already set when we allocate slab page and are not zeroed out after allocation. We are not yet sure why these crashes start happening only recently but regardless of the reason, not initializing a field that gets used later is wrong. Fix it by initializing slab->obj_exts during slab page allocation.
AI Analysis
Technical Summary
CVE-2025-37774 is a vulnerability identified in the Linux kernel's slab allocator subsystem, specifically related to the initialization of the slab->obj_exts field during slab page allocation. The slab allocator is a critical memory management component responsible for efficient allocation and deallocation of kernel objects. The vulnerability arises because slab->obj_exts is not properly cleared (zeroed out) when a new slab page is allocated. This leads to the presence of residual bits in slab->obj_exts that are outside the expected range used by page_memcg_data_flags and objext_flags. Consequently, when slab_obj_exts() attempts to obtain the pointer stored in slab->obj_exts, it may dereference an invalid address, resulting in a NULL pointer dereference and kernel crash (kernel oops). The issue was detected through crashes reported by ktest during buffered I/O tests, with the crash stack trace pointing to __alloc_tagging_slab_alloc_hook(). The crash logs indicate a level 1 translation fault due to invalid memory access at a low virtual address (0x10), which is symptomatic of dereferencing an uninitialized or corrupted pointer. The root cause is the failure to initialize slab->obj_exts during slab page allocation, which is a programming error in the kernel memory allocator. Although the exact reason why these crashes started occurring recently is unclear, the fix involves explicitly zeroing out slab->obj_exts when allocating a slab page to prevent invalid pointer dereferences. This vulnerability can cause system instability and kernel panics, leading to denial of service (DoS) conditions. There is no indication that this vulnerability allows privilege escalation or arbitrary code execution. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the stability and availability of Linux-based systems, which are widely used in servers, cloud infrastructure, and embedded devices. A kernel panic triggered by this flaw can cause unexpected system reboots or crashes, disrupting critical services and operations. Organizations relying on Linux for web hosting, database servers, or network infrastructure may experience downtime, impacting business continuity and service level agreements. Although this vulnerability does not appear to enable direct compromise of confidentiality or integrity, the denial of service impact can be severe, especially in environments requiring high availability such as financial institutions, healthcare providers, and government agencies. Additionally, the debugging and remediation efforts may require system downtime, further affecting operational efficiency. The absence of known exploits reduces immediate risk, but the vulnerability's presence in the kernel memory allocator means that any triggered crash could be leveraged by attackers to cause persistent denial of service. European organizations with large-scale Linux deployments, particularly those using kernel versions around 6.15.0-rc1 or similar, should prioritize patching to maintain system reliability.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that initializes slab->obj_exts during slab page allocation is essential. Organizations should track kernel updates from trusted sources and deploy them promptly. 2. For environments where immediate patching is not feasible, implement kernel crash monitoring and automated reboot mechanisms to minimize downtime impact. 3. Conduct thorough testing of kernel updates in staging environments to ensure compatibility and stability before production deployment. 4. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce the attack surface, although these do not directly mitigate this specific flaw. 5. Maintain comprehensive system and kernel logs to detect and analyze any kernel oops or crashes related to slab allocator issues. 6. Limit access to systems running vulnerable kernel versions to trusted personnel and networks to reduce the risk of accidental or malicious triggering of the vulnerability. 7. Engage with Linux distribution vendors for backported patches if using long-term support (LTS) kernels to ensure timely remediation. 8. Consider implementing redundancy and failover mechanisms in critical systems to maintain service availability in case of kernel crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-37774: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: slab: ensure slab->obj_exts is clear in a newly allocated slab page ktest recently reported crashes while running several buffered io tests with __alloc_tagging_slab_alloc_hook() at the top of the crash call stack. The signature indicates an invalid address dereference with low bits of slab->obj_exts being set. The bits were outside of the range used by page_memcg_data_flags and objext_flags and hence were not masked out by slab_obj_exts() when obtaining the pointer stored in slab->obj_exts. The typical crash log looks like this: 00510 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 00510 Mem abort info: 00510 ESR = 0x0000000096000045 00510 EC = 0x25: DABT (current EL), IL = 32 bits 00510 SET = 0, FnV = 0 00510 EA = 0, S1PTW = 0 00510 FSC = 0x05: level 1 translation fault 00510 Data abort info: 00510 ISV = 0, ISS = 0x00000045, ISS2 = 0x00000000 00510 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 00510 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 00510 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000104175000 00510 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 00510 Internal error: Oops: 0000000096000045 [#1] SMP 00510 Modules linked in: 00510 CPU: 10 UID: 0 PID: 7692 Comm: cat Not tainted 6.15.0-rc1-ktest-g189e17946605 #19327 NONE 00510 Hardware name: linux,dummy-virt (DT) 00510 pstate: 20001005 (nzCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) 00510 pc : __alloc_tagging_slab_alloc_hook+0xe0/0x190 00510 lr : __kmalloc_noprof+0x150/0x310 00510 sp : ffffff80c87df6c0 00510 x29: ffffff80c87df6c0 x28: 000000000013d1ff x27: 000000000013d200 00510 x26: ffffff80c87df9e0 x25: 0000000000000000 x24: 0000000000000001 00510 x23: ffffffc08041953c x22: 000000000000004c x21: ffffff80c0002180 00510 x20: fffffffec3120840 x19: ffffff80c4821000 x18: 0000000000000000 00510 x17: fffffffec3d02f00 x16: fffffffec3d02e00 x15: fffffffec3d00700 00510 x14: fffffffec3d00600 x13: 0000000000000200 x12: 0000000000000006 00510 x11: ffffffc080bb86c0 x10: 0000000000000000 x9 : ffffffc080201e58 00510 x8 : ffffff80c4821060 x7 : 0000000000000000 x6 : 0000000055555556 00510 x5 : 0000000000000001 x4 : 0000000000000010 x3 : 0000000000000060 00510 x2 : 0000000000000000 x1 : ffffffc080f50cf8 x0 : ffffff80d801d000 00510 Call trace: 00510 __alloc_tagging_slab_alloc_hook+0xe0/0x190 (P) 00510 __kmalloc_noprof+0x150/0x310 00510 __bch2_folio_create+0x5c/0xf8 00510 bch2_folio_create+0x2c/0x40 00510 bch2_readahead+0xc0/0x460 00510 read_pages+0x7c/0x230 00510 page_cache_ra_order+0x244/0x3a8 00510 page_cache_async_ra+0x124/0x170 00510 filemap_readahead.isra.0+0x58/0xa0 00510 filemap_get_pages+0x454/0x7b0 00510 filemap_read+0xdc/0x418 00510 bch2_read_iter+0x100/0x1b0 00510 vfs_read+0x214/0x300 00510 ksys_read+0x6c/0x108 00510 __arm64_sys_read+0x20/0x30 00510 invoke_syscall.constprop.0+0x54/0xe8 00510 do_el0_svc+0x44/0xc8 00510 el0_svc+0x18/0x58 00510 el0t_64_sync_handler+0x104/0x130 00510 el0t_64_sync+0x154/0x158 00510 Code: d5384100 f9401c01 b9401aa3 b40002e1 (f8227881) 00510 ---[ end trace 0000000000000000 ]--- 00510 Kernel panic - not syncing: Oops: Fatal exception 00510 SMP: stopping secondary CPUs 00510 Kernel Offset: disabled 00510 CPU features: 0x0000,000000e0,00000410,8240500b 00510 Memory Limit: none Investigation indicates that these bits are already set when we allocate slab page and are not zeroed out after allocation. We are not yet sure why these crashes start happening only recently but regardless of the reason, not initializing a field that gets used later is wrong. Fix it by initializing slab->obj_exts during slab page allocation.
AI-Powered Analysis
Technical Analysis
CVE-2025-37774 is a vulnerability identified in the Linux kernel's slab allocator subsystem, specifically related to the initialization of the slab->obj_exts field during slab page allocation. The slab allocator is a critical memory management component responsible for efficient allocation and deallocation of kernel objects. The vulnerability arises because slab->obj_exts is not properly cleared (zeroed out) when a new slab page is allocated. This leads to the presence of residual bits in slab->obj_exts that are outside the expected range used by page_memcg_data_flags and objext_flags. Consequently, when slab_obj_exts() attempts to obtain the pointer stored in slab->obj_exts, it may dereference an invalid address, resulting in a NULL pointer dereference and kernel crash (kernel oops). The issue was detected through crashes reported by ktest during buffered I/O tests, with the crash stack trace pointing to __alloc_tagging_slab_alloc_hook(). The crash logs indicate a level 1 translation fault due to invalid memory access at a low virtual address (0x10), which is symptomatic of dereferencing an uninitialized or corrupted pointer. The root cause is the failure to initialize slab->obj_exts during slab page allocation, which is a programming error in the kernel memory allocator. Although the exact reason why these crashes started occurring recently is unclear, the fix involves explicitly zeroing out slab->obj_exts when allocating a slab page to prevent invalid pointer dereferences. This vulnerability can cause system instability and kernel panics, leading to denial of service (DoS) conditions. There is no indication that this vulnerability allows privilege escalation or arbitrary code execution. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the stability and availability of Linux-based systems, which are widely used in servers, cloud infrastructure, and embedded devices. A kernel panic triggered by this flaw can cause unexpected system reboots or crashes, disrupting critical services and operations. Organizations relying on Linux for web hosting, database servers, or network infrastructure may experience downtime, impacting business continuity and service level agreements. Although this vulnerability does not appear to enable direct compromise of confidentiality or integrity, the denial of service impact can be severe, especially in environments requiring high availability such as financial institutions, healthcare providers, and government agencies. Additionally, the debugging and remediation efforts may require system downtime, further affecting operational efficiency. The absence of known exploits reduces immediate risk, but the vulnerability's presence in the kernel memory allocator means that any triggered crash could be leveraged by attackers to cause persistent denial of service. European organizations with large-scale Linux deployments, particularly those using kernel versions around 6.15.0-rc1 or similar, should prioritize patching to maintain system reliability.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that initializes slab->obj_exts during slab page allocation is essential. Organizations should track kernel updates from trusted sources and deploy them promptly. 2. For environments where immediate patching is not feasible, implement kernel crash monitoring and automated reboot mechanisms to minimize downtime impact. 3. Conduct thorough testing of kernel updates in staging environments to ensure compatibility and stability before production deployment. 4. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce the attack surface, although these do not directly mitigate this specific flaw. 5. Maintain comprehensive system and kernel logs to detect and analyze any kernel oops or crashes related to slab allocator issues. 6. Limit access to systems running vulnerable kernel versions to trusted personnel and networks to reduce the risk of accidental or malicious triggering of the vulnerability. 7. Engage with Linux distribution vendors for backported patches if using long-term support (LTS) kernels to ensure timely remediation. 8. Consider implementing redundancy and failover mechanisms in critical systems to maintain service availability in case of kernel crashes.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.939Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe83ce
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 11:11:38 PM
Last updated: 8/18/2025, 11:28:52 PM
Views: 12
Related Threats
CVE-2025-6180: CWE-319 Cleartext Transmission of Sensitive Information in StrongDM sdm-cli
HighCVE-2025-50901: n/a
UnknownCVE-2025-8415: Authentication Bypass by Alternate Name in Red Hat Cryostat 4
MediumCVE-2025-8612: CWE-59: Improper Link Resolution Before File Access ('Link Following') in AOMEI Backupper Workstation
HighCVE-2025-8611: CWE-306: Missing Authentication for Critical Function in AOMEI Cyber Backup
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.