CVE-2025-37834: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: don't try to reclaim hwpoison folio Syzkaller reports a bug as follows: Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000 Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e memcg:ffff0000dd6d9000 anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff) raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9 raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000 page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio)) ------------[ cut here ]------------ kernel BUG at mm/swap_state.c:184! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3 Hardware name: linux,dummy-virt (DT) pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : add_to_swap+0xbc/0x158 lr : add_to_swap+0xbc/0x158 sp : ffff800087f37340 x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780 x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0 x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4 x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000 x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000 x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001 x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000 Call trace: add_to_swap+0xbc/0x158 shrink_folio_list+0x12ac/0x2648 shrink_inactive_list+0x318/0x948 shrink_lruvec+0x450/0x720 shrink_node_memcgs+0x280/0x4a8 shrink_node+0x128/0x978 balance_pgdat+0x4f0/0xb20 kswapd+0x228/0x438 kthread+0x214/0x230 ret_from_fork+0x10/0x20 I can reproduce this issue with the following steps: 1) When a dirty swapcache page is isolated by reclaim process and the page isn't locked, inject memory failure for the page. me_swapcache_dirty() clears uptodate flag and tries to delete from lru, but fails. Reclaim process will put the hwpoisoned page back to lru. 2) The process that maps the hwpoisoned page exits, the page is deleted the page will never be freed and will be in the lru forever. 3) If we trigger a reclaim again and tries to reclaim the page, add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is cleared. To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap it in shrink_folio_list(), otherwise the folio will fail to be unmaped by hwpoison_user_mappings() since the folio isn't in lru list.
AI Analysis
Technical Summary
CVE-2025-37834 is a vulnerability in the Linux kernel's memory management subsystem, specifically within the virtual memory scanning and swap management code. The issue arises in the handling of hardware-poisoned (hwpoison) memory pages during the reclaim process. When a dirty swapcache page is isolated for reclamation and is not locked, injecting a memory failure causes the page's 'uptodate' flag to be cleared. The reclaim process attempts to remove this page from the least recently used (LRU) list but fails, resulting in the hwpoisoned page being reinserted into the LRU list. If the process mapping this hwpoisoned page exits, the page is deleted but never freed, causing it to remain indefinitely in the LRU list. Subsequent reclamation attempts trigger a kernel bug (VM_BUG_ON_FOLIO) due to the inconsistent state of the page flags. The root cause is that the reclaim code does not properly skip or unmap hwpoisoned folios in the shrink_folio_list() function, leading to a kernel BUG and potential system instability or crash. The fix involves skipping hwpoisoned pages during reclamation and ensuring proper unmapping of these pages to prevent them from lingering in the LRU list and causing faults. This vulnerability can be triggered by injecting memory failures and manipulating swapcache pages, leading to kernel oops and potential denial of service. No known exploits are reported in the wild yet, and the vulnerability affects Linux kernel versions identified by specific commit hashes prior to the fix.
Potential Impact
For European organizations, the impact of CVE-2025-37834 can be significant, especially for those relying heavily on Linux-based infrastructure, including servers, cloud environments, and embedded systems. The vulnerability can cause kernel crashes (kernel oops) leading to system instability and denial of service (DoS). This can disrupt critical services, data processing, and availability of applications, particularly in sectors such as finance, healthcare, telecommunications, and government where Linux servers are prevalent. Since the issue involves memory management and swap operations, systems under heavy memory pressure or running workloads with frequent swapping are more susceptible. The inability to properly reclaim hwpoisoned pages can also lead to resource exhaustion over time, further degrading system performance. Although no remote code execution or privilege escalation is indicated, the denial of service impact alone can cause operational disruptions and potential financial losses. Additionally, recovery from kernel crashes may require system reboots, impacting uptime and service continuity. Organizations with strict uptime requirements or those operating critical infrastructure should prioritize addressing this vulnerability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2025-37834 as soon as they become available from trusted Linux distributions or the kernel maintainers. 2. Monitor kernel updates and subscribe to security advisories from Linux vendors to ensure timely patching. 3. For environments where immediate patching is not feasible, consider reducing memory pressure and swap usage to minimize triggering the vulnerable reclaim path. 4. Implement robust monitoring of kernel logs and system stability to detect early signs of memory management issues or kernel oops events. 5. Use hardware memory error detection and correction features to reduce the likelihood of hwpoisoned pages. 6. In virtualized environments, ensure hypervisor and guest OS memory management are up to date to prevent propagation of memory errors. 7. Conduct thorough testing of kernel updates in staging environments to validate stability before production deployment. 8. Employ system hardening best practices to limit the impact of potential denial of service, such as redundancy, failover mechanisms, and resource limits on processes that can induce memory pressure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2025-37834: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: don't try to reclaim hwpoison folio Syzkaller reports a bug as follows: Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000 Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e memcg:ffff0000dd6d9000 anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff) raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9 raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000 page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio)) ------------[ cut here ]------------ kernel BUG at mm/swap_state.c:184! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3 Hardware name: linux,dummy-virt (DT) pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : add_to_swap+0xbc/0x158 lr : add_to_swap+0xbc/0x158 sp : ffff800087f37340 x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780 x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0 x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4 x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000 x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000 x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001 x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000 Call trace: add_to_swap+0xbc/0x158 shrink_folio_list+0x12ac/0x2648 shrink_inactive_list+0x318/0x948 shrink_lruvec+0x450/0x720 shrink_node_memcgs+0x280/0x4a8 shrink_node+0x128/0x978 balance_pgdat+0x4f0/0xb20 kswapd+0x228/0x438 kthread+0x214/0x230 ret_from_fork+0x10/0x20 I can reproduce this issue with the following steps: 1) When a dirty swapcache page is isolated by reclaim process and the page isn't locked, inject memory failure for the page. me_swapcache_dirty() clears uptodate flag and tries to delete from lru, but fails. Reclaim process will put the hwpoisoned page back to lru. 2) The process that maps the hwpoisoned page exits, the page is deleted the page will never be freed and will be in the lru forever. 3) If we trigger a reclaim again and tries to reclaim the page, add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is cleared. To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap it in shrink_folio_list(), otherwise the folio will fail to be unmaped by hwpoison_user_mappings() since the folio isn't in lru list.
AI-Powered Analysis
Technical Analysis
CVE-2025-37834 is a vulnerability in the Linux kernel's memory management subsystem, specifically within the virtual memory scanning and swap management code. The issue arises in the handling of hardware-poisoned (hwpoison) memory pages during the reclaim process. When a dirty swapcache page is isolated for reclamation and is not locked, injecting a memory failure causes the page's 'uptodate' flag to be cleared. The reclaim process attempts to remove this page from the least recently used (LRU) list but fails, resulting in the hwpoisoned page being reinserted into the LRU list. If the process mapping this hwpoisoned page exits, the page is deleted but never freed, causing it to remain indefinitely in the LRU list. Subsequent reclamation attempts trigger a kernel bug (VM_BUG_ON_FOLIO) due to the inconsistent state of the page flags. The root cause is that the reclaim code does not properly skip or unmap hwpoisoned folios in the shrink_folio_list() function, leading to a kernel BUG and potential system instability or crash. The fix involves skipping hwpoisoned pages during reclamation and ensuring proper unmapping of these pages to prevent them from lingering in the LRU list and causing faults. This vulnerability can be triggered by injecting memory failures and manipulating swapcache pages, leading to kernel oops and potential denial of service. No known exploits are reported in the wild yet, and the vulnerability affects Linux kernel versions identified by specific commit hashes prior to the fix.
Potential Impact
For European organizations, the impact of CVE-2025-37834 can be significant, especially for those relying heavily on Linux-based infrastructure, including servers, cloud environments, and embedded systems. The vulnerability can cause kernel crashes (kernel oops) leading to system instability and denial of service (DoS). This can disrupt critical services, data processing, and availability of applications, particularly in sectors such as finance, healthcare, telecommunications, and government where Linux servers are prevalent. Since the issue involves memory management and swap operations, systems under heavy memory pressure or running workloads with frequent swapping are more susceptible. The inability to properly reclaim hwpoisoned pages can also lead to resource exhaustion over time, further degrading system performance. Although no remote code execution or privilege escalation is indicated, the denial of service impact alone can cause operational disruptions and potential financial losses. Additionally, recovery from kernel crashes may require system reboots, impacting uptime and service continuity. Organizations with strict uptime requirements or those operating critical infrastructure should prioritize addressing this vulnerability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2025-37834 as soon as they become available from trusted Linux distributions or the kernel maintainers. 2. Monitor kernel updates and subscribe to security advisories from Linux vendors to ensure timely patching. 3. For environments where immediate patching is not feasible, consider reducing memory pressure and swap usage to minimize triggering the vulnerable reclaim path. 4. Implement robust monitoring of kernel logs and system stability to detect early signs of memory management issues or kernel oops events. 5. Use hardware memory error detection and correction features to reduce the likelihood of hwpoisoned pages. 6. In virtualized environments, ensure hypervisor and guest OS memory management are up to date to prevent propagation of memory errors. 7. Conduct thorough testing of kernel updates in staging environments to validate stability before production deployment. 8. Employ system hardening best practices to limit the impact of potential denial of service, such as redundancy, failover mechanisms, and resource limits on processes that can induce memory pressure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.951Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9819c4522896dcbd88d6
Added to database: 5/21/2025, 9:08:41 AM
Last enriched: 7/4/2025, 12:12:13 AM
Last updated: 8/14/2025, 1:54:27 AM
Views: 18
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.