CVE-2025-37779: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: lib/iov_iter: fix to increase non slab folio refcount When testing EROFS file-backed mount over v9fs on qemu, I encountered a folio UAF issue. The page sanity check reports the following call trace. The root cause is that pages in bvec are coalesced across a folio bounary. The refcount of all non-slab folios should be increased to ensure p9_releas_pages can put them correctly. BUG: Bad page state in process md5sum pfn:18300 page: refcount:0 mapcount:0 mapping:00000000d5ad8e4e index:0x60 pfn:0x18300 head: order:0 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 aops:z_erofs_aops ino:30b0f dentry name(?):"GoogleExtServicesCn.apk" flags: 0x100000000000041(locked|head|node=0|zone=1) raw: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0 raw: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000 head: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0 head: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000 head: 0100000000000000 0000000000000000 ffffffffffffffff 0000000000000000 head: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Call Trace: dump_stack_lvl+0x53/0x70 bad_page+0xd4/0x220 __free_pages_ok+0x76d/0xf30 __folio_put+0x230/0x320 p9_release_pages+0x179/0x1f0 p9_virtio_zc_request+0xa2a/0x1230 p9_client_zc_rpc.constprop.0+0x247/0x700 p9_client_read_once+0x34d/0x810 p9_client_read+0xf3/0x150 v9fs_issue_read+0x111/0x360 netfs_unbuffered_read_iter_locked+0x927/0x1390 netfs_unbuffered_read_iter+0xa2/0xe0 vfs_iocb_iter_read+0x2c7/0x460 erofs_fileio_rq_submit+0x46b/0x5b0 z_erofs_runqueue+0x1203/0x21e0 z_erofs_readahead+0x579/0x8b0 read_pages+0x19f/0xa70 page_cache_ra_order+0x4ad/0xb80 filemap_readahead.isra.0+0xe7/0x150 filemap_get_pages+0x7aa/0x1890 filemap_read+0x320/0xc80 vfs_read+0x6c6/0xa30 ksys_read+0xf9/0x1c0 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x71/0x79
AI Analysis
Technical Summary
CVE-2025-37779 is a vulnerability identified in the Linux kernel related to the handling of folios in the iov_iter subsystem, specifically when using EROFS (Enhanced Read-Only File System) file-backed mounts over v9fs (9P protocol) in QEMU virtualized environments. The root cause is a use-after-free (UAF) condition triggered by improper reference counting of non-slab folios during page coalescing across folio boundaries. In this scenario, pages within bio vectors (bvec) are merged across folio boundaries without correctly incrementing the reference count of all involved folios. This leads to premature freeing of folios, causing a bad page state and potential memory corruption. The vulnerability manifests as a kernel BUG due to a bad page state detected by the PAGE_FLAGS_CHECK_AT_FREE flag, which indicates that a page is being freed while still in use. The call trace provided shows the failure occurs during the release of pages in the p9_release_pages function, which is part of the 9P client implementation used in virtualized environments. The issue is specifically triggered when reading files such as "GoogleExtServicesCn.apk" mounted via EROFS over v9fs in QEMU. This vulnerability can cause kernel crashes (denial of service) and potentially memory corruption, which might be leveraged for privilege escalation or arbitrary code execution if exploited. However, as of the published date, no known exploits are reported in the wild. The vulnerability affects specific Linux kernel versions identified by commit hashes (b9c0e49abfca06f1a109acea834bcfc934f33f76). No CVSS score has been assigned yet, and no patches or mitigation links are provided in the data, indicating that remediation may require applying kernel updates once available or backporting fixes.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to environments running Linux kernels with the affected versions, especially those utilizing virtualized infrastructures with QEMU and employing EROFS file systems over the 9P protocol. Such configurations are common in cloud service providers, data centers, and enterprises leveraging containerization or virtual machines. The impact includes potential denial of service due to kernel crashes, which can disrupt critical services and operations. More severe exploitation could lead to privilege escalation or arbitrary code execution within the kernel context, compromising system integrity and confidentiality. This is particularly concerning for sectors with high reliance on Linux-based virtualization such as finance, telecommunications, and government institutions in Europe. Additionally, the vulnerability could affect embedded systems or IoT devices running affected Linux kernels, which are prevalent in industrial and critical infrastructure sectors. The lack of known exploits currently reduces immediate risk, but the complexity of the flaw and its presence in core kernel memory management components make it a high-value target for attackers once exploit techniques mature.
Mitigation Recommendations
1. Immediate mitigation involves updating Linux kernels to versions that include the fix for CVE-2025-37779 once officially released by Linux maintainers or vendors. Monitoring kernel mailing lists and vendor advisories for patches is critical. 2. For environments using QEMU virtualization with EROFS over v9fs, consider disabling or avoiding this specific configuration until patched, as it is the trigger vector for the vulnerability. 3. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and strict memory protections to reduce exploitation likelihood. 4. Implement strict access controls and isolation for virtual machines and containers to limit the impact of potential kernel compromises. 5. Regularly audit and monitor kernel logs for signs of bad page states or kernel BUG messages that could indicate exploitation attempts. 6. For organizations with embedded Linux devices, coordinate with device vendors to obtain patched firmware or kernel updates. 7. Employ runtime security tools capable of detecting anomalous kernel behavior or memory corruption attempts. 8. Prepare incident response plans for potential kernel-level compromises to ensure rapid containment and recovery.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Estonia, Poland, Italy, Spain
CVE-2025-37779: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: lib/iov_iter: fix to increase non slab folio refcount When testing EROFS file-backed mount over v9fs on qemu, I encountered a folio UAF issue. The page sanity check reports the following call trace. The root cause is that pages in bvec are coalesced across a folio bounary. The refcount of all non-slab folios should be increased to ensure p9_releas_pages can put them correctly. BUG: Bad page state in process md5sum pfn:18300 page: refcount:0 mapcount:0 mapping:00000000d5ad8e4e index:0x60 pfn:0x18300 head: order:0 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 aops:z_erofs_aops ino:30b0f dentry name(?):"GoogleExtServicesCn.apk" flags: 0x100000000000041(locked|head|node=0|zone=1) raw: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0 raw: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000 head: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0 head: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000 head: 0100000000000000 0000000000000000 ffffffffffffffff 0000000000000000 head: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Call Trace: dump_stack_lvl+0x53/0x70 bad_page+0xd4/0x220 __free_pages_ok+0x76d/0xf30 __folio_put+0x230/0x320 p9_release_pages+0x179/0x1f0 p9_virtio_zc_request+0xa2a/0x1230 p9_client_zc_rpc.constprop.0+0x247/0x700 p9_client_read_once+0x34d/0x810 p9_client_read+0xf3/0x150 v9fs_issue_read+0x111/0x360 netfs_unbuffered_read_iter_locked+0x927/0x1390 netfs_unbuffered_read_iter+0xa2/0xe0 vfs_iocb_iter_read+0x2c7/0x460 erofs_fileio_rq_submit+0x46b/0x5b0 z_erofs_runqueue+0x1203/0x21e0 z_erofs_readahead+0x579/0x8b0 read_pages+0x19f/0xa70 page_cache_ra_order+0x4ad/0xb80 filemap_readahead.isra.0+0xe7/0x150 filemap_get_pages+0x7aa/0x1890 filemap_read+0x320/0xc80 vfs_read+0x6c6/0xa30 ksys_read+0xf9/0x1c0 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x71/0x79
AI-Powered Analysis
Technical Analysis
CVE-2025-37779 is a vulnerability identified in the Linux kernel related to the handling of folios in the iov_iter subsystem, specifically when using EROFS (Enhanced Read-Only File System) file-backed mounts over v9fs (9P protocol) in QEMU virtualized environments. The root cause is a use-after-free (UAF) condition triggered by improper reference counting of non-slab folios during page coalescing across folio boundaries. In this scenario, pages within bio vectors (bvec) are merged across folio boundaries without correctly incrementing the reference count of all involved folios. This leads to premature freeing of folios, causing a bad page state and potential memory corruption. The vulnerability manifests as a kernel BUG due to a bad page state detected by the PAGE_FLAGS_CHECK_AT_FREE flag, which indicates that a page is being freed while still in use. The call trace provided shows the failure occurs during the release of pages in the p9_release_pages function, which is part of the 9P client implementation used in virtualized environments. The issue is specifically triggered when reading files such as "GoogleExtServicesCn.apk" mounted via EROFS over v9fs in QEMU. This vulnerability can cause kernel crashes (denial of service) and potentially memory corruption, which might be leveraged for privilege escalation or arbitrary code execution if exploited. However, as of the published date, no known exploits are reported in the wild. The vulnerability affects specific Linux kernel versions identified by commit hashes (b9c0e49abfca06f1a109acea834bcfc934f33f76). No CVSS score has been assigned yet, and no patches or mitigation links are provided in the data, indicating that remediation may require applying kernel updates once available or backporting fixes.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to environments running Linux kernels with the affected versions, especially those utilizing virtualized infrastructures with QEMU and employing EROFS file systems over the 9P protocol. Such configurations are common in cloud service providers, data centers, and enterprises leveraging containerization or virtual machines. The impact includes potential denial of service due to kernel crashes, which can disrupt critical services and operations. More severe exploitation could lead to privilege escalation or arbitrary code execution within the kernel context, compromising system integrity and confidentiality. This is particularly concerning for sectors with high reliance on Linux-based virtualization such as finance, telecommunications, and government institutions in Europe. Additionally, the vulnerability could affect embedded systems or IoT devices running affected Linux kernels, which are prevalent in industrial and critical infrastructure sectors. The lack of known exploits currently reduces immediate risk, but the complexity of the flaw and its presence in core kernel memory management components make it a high-value target for attackers once exploit techniques mature.
Mitigation Recommendations
1. Immediate mitigation involves updating Linux kernels to versions that include the fix for CVE-2025-37779 once officially released by Linux maintainers or vendors. Monitoring kernel mailing lists and vendor advisories for patches is critical. 2. For environments using QEMU virtualization with EROFS over v9fs, consider disabling or avoiding this specific configuration until patched, as it is the trigger vector for the vulnerability. 3. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and strict memory protections to reduce exploitation likelihood. 4. Implement strict access controls and isolation for virtual machines and containers to limit the impact of potential kernel compromises. 5. Regularly audit and monitor kernel logs for signs of bad page states or kernel BUG messages that could indicate exploitation attempts. 6. For organizations with embedded Linux devices, coordinate with device vendors to obtain patched firmware or kernel updates. 7. Employ runtime security tools capable of detecting anomalous kernel behavior or memory corruption attempts. 8. Prepare incident response plans for potential kernel-level compromises to ensure rapid containment and recovery.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.940Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe83dd
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 11:13:07 PM
Last updated: 7/26/2025, 4:27:07 AM
Views: 13
Related Threats
CVE-2025-7679: CWE-306 Missing Authentication for Critical Function in ABB Aspect
HighCVE-2025-7677: CWE-306 Missing Authentication for Critical Function in ABB Aspect
MediumCVE-2025-53191: CWE-306 Missing Authentication for Critical Function in ABB Aspect
HighCVE-2025-53190: CWE-286 in ABB Aspect
HighCVE-2025-53189: CWE-639 Authorization Bypass Through User-Controlled Key in ABB Aspect
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.